How To: Building a dual-head 4K PC

So my home PC, which is a daily ‘beater’ PC, was just over its 3 year anniversary mark. It’s a SandyBridge PC, and has served me well. While I wasn’t seeing any real performance issues (I’m not a gamer), I figured it was a good time to spec out a new PC and get all the latest goodies like NVMe, USB 3.1, ThunderBolt 3, 4K graphics, etc. In the past year I upgraded my home theater to 4K, so figured it was about time to do the same for my workstation.

[Update: Found the missing piece of the puzzle today.]     Unfortunately not all the pieces are perfectly in place for a future-proof 4K workstation, but I’ll cover that a bit later and tell you what I’m waiting on. Note, this is NOT a gaming rig nor do I care about overclocking. Think of this as state-of-the-art desktop PC for office work, photography, watching 4K YouTube videos, etc. Power was also a concern, as well as being super quiet. If you want to read all about the Skylake processors and Z170 chipset, check out Anand’s article here.

I found this great website called PCPartPicker that lets you build a system, get an estimated cost, and does compatibility checks. You can find the full parts list for this build here. It also estimates system power, and my configuration comes out to 169w. It also lists the website with the lowest price and a very cool price history feature.

Researching this build I learned more about display protocols, chipsets, and HD copy protection than I ever wanted to know. This is a complicated field. Put on your thinking cap! If you aren’t in a hurry for a new PC but are thinking early 2017 you will upgrade, then watch out for the Kaby Lake CPUs and 200 series chipsets. These provide minor tweaks over the Skylake and Z170 series chipset.

Processor

First up, I had to choose the processor. I wanted the latest Intel offering (Skylake), but still stay within a reasonable budget. Intel does an amazing job with their ARK pages where you can quickly see processor specs, list prices, and features. So I wondered over to the 6th Generation Intel Core i7 Processor list. A quad core processor with hyperthreading is all I need, so I had a few choices. I chose the i7-6700 which was released in late 2015. It’s a 14nm process, 4 cores, 8 threads, and 3.4GHz base frequency and just 65w TDP. It also has Intel HD Graphics 530 built in, which supports 4K @ 60Hz. You can pick it up from Amazon for $298.

If you want to constrain your budget a bit, the i5-6600k is an excellent choice, with real world performance nearly that of the i7 big brother. It’s about $50 cheaper at $242 from Amazon. This processor is unlocked, meaning you have an easy time overclocking if you are into that.

2016-05-25_16-27-52

 

 

 

 

 

 

 

 

Motherboard

Now that I have chosen a processor, the next major component is the motherboard. For this, I had a few requirements which eliminated 99% of the shipping boards. First, for full future compatibility, I wanted HDMI 2.0 and HDCP 2.2. HDMI 2.0 enables 4K at 60Hz, which the i7-6700 supports. While HDCP isn’t a show stopper for a workstation, if you ever want to play UHD content on your PC it will be required. I also wanted the fastest possible flash storage, and that would be NVMe M.2 (or U.2) x4 support. This interface far exceeds SATA III, at 32Gb/s (vs. 6Gbps)! SATA SSDs are now old school and “slow”.

So after extensive research, only two motherboards met this requirement. The Gigabyte GA-Z170X-Gaming 7 and the Asus Z170-Deluxe. The Asus option was the most expensive, around $300, and had built-in WiFi. My house has wired GiG-E, so I didn’t need WiFi. The Gigabyte option was around $200, didn’t have WiFi, but had better audio and met all my other requirements. It also has USB 3.1, and Thunderbolt 3 (click here for all the advantages of Gigabyte’s usage of Intel’s Alpine Ridge chip). I called Gigabyte tech support, and they confirmed it will support dual 4K @ 60Hz (with HDCP 2.2 via HDMI) displays using the Intel Iris graphics.

Other articles I’ve read said the Skylark processors can drive 2x 4K @ 60Hz monitors, so the Gigabyte support agent was right. If you want to get geeky, you can check out the spec sheet of the HDMI bridge chip here which clearly states 4K @60Hz and HDCP 2.2). The motherboard only supports DP 1.2a, which does not have HDCP 2.2. Even the Kaby Lake chipset (due out this year) is rumored to only support DP 1.2a. We will likely have to wait until Cannon Lake in 2017 for a supporting chipset. So should you want to connect this MB to a TV for 4K gaming/UHD content, only use the HDMI port. We will need to wait for a DP 1.3 MB to get HDCP 2.2 via DP…in late 2017. There is a DisplayPort 1.2 to HDMI 2.0 w/ HDCP 2.2 dongle that you can buy. That would HDCP 2.2 enable dual monitors. You can find the Club-3D dongle specs here and buy it on Amazon for $29. You can pick up the Gigabyte board from Amazon for $195.

Graphic below is from Anandtech:

2016-05-25_21-46-01a

 

 

 

 

 

 

 

 

Note: Gigabyte has a number of firmware updates that you need to apply, including one each for HDMI 2.0 and Thunderbolt 3, along with a BIOS update. You can find the updates here. If you are super concerned about security, you can add a TPM 2.0 module.

2016-05-25_16-24-54

 

 

 

 

 

 

 

If you disagree with using the built-in Intel Iris graphics, then you will need to buy a third party PCIe graphics card. But, according to Intel, the Skylake GPUs will beat 80% of the discrete video cards on the market. So unless you are a hardcore gamer, try the integrated graphics first. Unfortunately, we are in a time of flux and finding a discrete video card that supports HDMI 2.0 and HDCP 2.2 is nearly impossible. I did see mentioned that the GTX-960 does have HDMI 2.0 and HDCP 2.2. I’m sure later this year it will be much more common. So if you can live with the Intel graphics for now, I would wait and get a new graphics card later this year or validate that it does support HDCP 2.2. The GTX-960s seem to start at $190 and go up from there. You can see an example on Newegg, where it does call out HDMI 2.0 support. This article claims it has HDCP 2.2 support. But a post here says HDCP 2.2 isn’t yet enabled/functional. Who is right? I don’t know.

This MB has significantly upgraded audio via the Creative Sound Core3D quad-core processor. This should provide improved audio over the ever present cheap Realtek chips. However, this MB also has dedicated USB DAC ports (two of them) for use with a USB DAC. The Verge has a good write-up on various DAC options that run around $100. Personally I’m sticking with the built-in audio.

Memory

Next up, was memory. My old PC has DDR3, but that’s been eclipsed by DDR4. Corsair is a good brand, so I looked through their options for a 16GB kit (2x8GB). The Vengeance LPX line is their high performance memory, and has built-in heat spreaders. It also has a lifetime warranty, which is great. I settled on the Vengeance LPX 32ooMHz C16 kit. On Amazon it’s just $70 for 16GB, which is a great price. The motherboard has 4 DIMM slots, so you could bump it up to 32GB if you needed the memory.

2016-05-25_18-56-13

 

 

 

 

Flash Storage

Next up was flash storage for my boot drive. As I previously mentioned, SATA III SSDs are slow and bottlenecked by the old 6Gbps interface. If you truly want the best storage today, it’s NVMe. The various options can be a bit confusing, so let me quickly cover those. NVMe is fastest when used with a PCIe Gen3 x4 interface. You can use either the M.2 connector which lets you mount the NVMe module directly to the motherboard. Or, you can use the U.2 connector. The U.2 module fits into the same M.2 slot, but allow you to plug in a U.2 cable to an externally mounted NVMe drive such as the Intel 750 series. The Gigabyte motherboard comes with dual PCIe Gen3 x4 M.2 connectors, so I wanted a NVMe solution to match. I decided on the Samsung 950 Pro 512GB. You can buy it from Amazon for $316. Yes it does cost more per GB than a SATAIII SSD, but it has 5x the bandwidth. Plus you don’t have to deal with cables and mounting a 2.5″ drive in your chassis. Samsung offers a 256GB version for $177 if that is more appealing.

Build note: Install this NVMe module on the bottom M.2 connector, so it uses less SATA PCIe lanes. If you want to go hog wild and get dual NVMe modules, you lose all but SATA_5 on the Intel SATA controller. But there’s an additional SATA controller which gives you two more SATA ports. I also read one customer removed the sticker and placed tiny heat sinks on each memory module. You can find those here.

2016-05-25_16-53-42

 

 

 

CPU Cooler

Now, I wanted to find a super quiet CPU cooler. I will be sitting next to this box, so the last thing I want is a noisy PC. Noctua is a stellar brand in the CPU cooling and case fan world, so I went a checked out their products. I wasn’t planning on overclocking, so I didn’t see anything too crazy or something like water cooling. I also wanted to make sure it wouldn’t interfere with the DIMM slots or PCIe cards. Noctua’s 6 year warranty was also appealing. I decided to get the Noctua NH-U9S. It met all my requirements, had stellar reviews, and is nearly silent in operation. You can find it on Amazon for $58.

2016-05-25_17-05-03

 

 

 

 

 

 

 

 

Case

One of the final pieces is the case. Cases are very personal, and people have strong opinions. For me, I really don’t care. I don’t need clear sides, fancy lights, or a lot of storage bays. Given the size of the CPU fan, I could not use a super slim HTPC style case. So a mid-tower case it was, and I wanted something quiet. It should also support USB 3.0 ports, which really is standard these days. I stumbled upon the Corsair Carbide Series 330R Quiet mid-tower case. I liked the fact that it has noise reducing damping material, smart airflow, lots of fan options, tool free disk drive installation, and looked very clean. It can be had on Amazon for $103. Do take note that it does NOT come with a power supply, so this case is more expensive than some that come with (crappy) power supplies. Reviews did mention the front case fan wasn’t silent, so I picked up the Noctua NF-A14 PWM fan, which I’ve read is nearly silent. It’s on Amazon for $22.

2016-05-25_17-13-18

 

 

 

 

 

 

 

 

Power Supply

Because the case doesn’t come with a power supply, it was time to do a little research. For maximum efficiency, you don’t want to get a PS that is vastly over rated what you will be drawing. You also want to look for near silent (or totally) silent operation. Modular power supplies are also great, which avoids having to bunch up a lot of cables in your case and making for a messy installation or interfering with airflow. I’ve had excellent past experience with Seasonic, but I also knew Corsair was a solid choice. I did not want to spend a bundle, since this is not a high wattage gaming rig. But I do value quality and features. I settled on the Corsair RMi Series, which comes with some unique monitoring software that is fed via a USB cable to the power supply. I wanted the lowest wattage version, which unfortunately was a beefy 650 watts. So I’ll be running on the low end of the efficiency scale. But it does feature a fanless mode, if the power draw is sufficiently low. You can find it on Amazon for $120. Yes, you can most certainly find cheaper solutions (like a SeaSonic S12II-430 for half the price). So feel free to spend less. But I like quality, and the monitoring software as gimmicky as it may be, tipped me over the edge.

2016-05-25_17-32-17

 

 

 

 

 

 

4K Monitors

Update 5/26/2016: After more intense research, I found the LG 27UD88-W that supports HDMI 2.0 and HDCP 2.2. And it even has a USB 3.0 type-c connector on it as well. It retails for $699. You can buy it from Amazon for $668.

—–

Here’s where the rubber meets the road, and quite frankly, I ran into a show stopper here. The problem is HDCP 2.2, or should I say, the lack of support. After extensive googling and research, I came to the conclusion that no 24″ or 27″ 4K monitor exists with HDCP 2.2 as of today. There is the 32″ Dell UP3216Q monitor that advertises HDMI 2.0 and HDCP 2.2. It’s a pricey $1,400. A 27″ Viewsonic option has HDCP 2.1, but that’s not good enough for 4K. And it’s also hard to find HDMI 2.0 on 4K monitors, but not impossible. So, at this point in time I’m sticking with my old 24″ Dell 1080P monitors and will monitor (har har) the market. It’s a sure bet that 27″ HDMI 2.0 and HDCP 2.2 4K monitors will ship, the question is just when. Monitors can last a good 5 years or more, and the good 4K monitors can run north of $700. So I want to get something that will last 5+ years. If you are truly dying for 4K and don’t care about HDCP 2.2, then the 27″ Viewsonic VP2780-4k is my top recommendation. Street price can be had for around $700. There are cheaper 4K options, but a big hobby of mine is photography so accurate colors are a must. The Viewsonic model looks better on paper (with HDMI 2.0) and better than the cheaper Dell options. YMMV.

[See Update above] For a quick recap, keep your eye out for a new generation of 24″ and 27″ monitors that supports HDMI 2.0 with HDCP 2.2, at least DisplayPort 1.2a (but prefer DP 1.3 for HDCP 2.2 compliance).

Mass Storage

If you are in the market for quality mass storage, check out the HGST Deskstar NAS lineup at Amazon. You can get a 4TB 7.2K SATA drive for $164. HGST got the highest reliability marks in a BackBlaze blog post you can read here. If you want the enterprise grade SATA drive the 4TB “ISE” model runs $275 at Amazon. It has twice the MTBF of the consumer NAS drive.

Summary

I tried to balance quality, performance, price, while meeting my requirements in a solid workstation. The total price without tax and shipping comes in around $1,200. Yes, you could shave off some $$ by going with cheaper/slower parts. I also left out spinning HDD and optical media. I was thinking of a UHD/4K Blu-ray drive, but decided against it. First, we are too early in the UHD uptake to see any real drive options (a quick search didn’t turn any up). Second, I’m not planning on viewing UHD movies on my PC. That’s why I have a 4K home theater. Even UHD Blu-ray players are scarce, with Samsung being the primary option. Later this year I’ll re-investigate 4K monitors and hopefully the market will have a few HDMI 2.0/HDCP 2.2 options. Remember, only the HDMI port supports HDCP 2.2, so if you connect this MB to a 4K TV, use the HDMI port.

After I get all of the parts and assemble it, I’ll update this post with any gotchas. So if you are thinking about buying these parts, you might want to wait a few weeks until I can fully test the system with Windows 10 x64. It should work just fine, though. Remember that the free upgrade to Windows 10 expires on July 29th. So I plan on loading this PC with my old copy of Windows 8.1, activate, then upgrade to Windows 10. I could use the free Samsung utility to drive copy my old Windows 10 SSD to the NVMe drive, but then Windows will become deactivated and I’ve seen accounts of Microsoft refusing re-activating and telling customers they need to buy a copy.

Do take note that Amazon will cover return postage of any DOA item, unlike many other retailers like NewEgg. So if you have the choice between Amazon and say NewEgg, lean towards Amazon.

Win Free Tickets to VMworld 2016!

VMTURBO VMWORLD® 2016 SWEEPSTAKES turbostack-active

Goodbye vSphere C# Client

So for as long as I’ve been using VMware, the Windows C# client has been a staple of my workflow. Even when VMware started transitioning to the icky Flash based interface, I know many MANY people still used the C# client. Between dodgy performance, reliance on Flash (and all it’s security problems), re-jiggered UI, difficulty in finding objects, no VUM interface, etc. The Flash based interface went over like a lead balloon in the vSphere community. To VMware’s credit they did make improvements over the years, but it was still Flash based and slow.

Today VMware is announcing that in their upcoming release of vSphere, the Windows C# client will no longer be offered. Yes, after years of warning us about the client going it, it is now dead. Buried, and one for the history books.

Now you ask, what will it be replaced with? Yes, they will now offer a full HTML5 client.  A while back VMware released a HTML5 ‘fling’ (which is unsupported for production usage) for embedded host management. Frankly I’ve been too busy to try it, plus customers can’t use it in production. Although it does appear to have made it into vSphere 6.0 U2.

Other enterprise products have had HTML5 interfaces for years (e.g. Nutanix), and I’m so glad I can stop installing Flash on servers. So I do welcome this change in VMware management. But the proof will be in the pudding, on how well they implement it. Will it be performant? Will it be intuitive? Can we manage VUM, SRM, and third party products? How about third party plug-ins that still rely on Flash? Only time will tell how these are addressed. I was on the vExpert call earlier this week that VMware hosted, and the community was very concerned about the usability and knowing which plug-ins will or won’t work.

I welcome the change, but only time will tell how well VMware can execute. As a side note, Nutanix never has had a vCenter plug-in. We have a comprehensive HTML5 interface called PRISM that manages our HCI solution. So unlike other vendors, you won’t have to play a waiting game with vSphere .Next and wait for any updated Nutanix plug-in. Once our QA tests vSphere v.Next and we whitelist the ISO, you will be good to go.

vSphere 6.0 Toolkit Update

In my new role at Nutanix I’ve had the pleasure of working with end customers, and configuring their vSphere 6.0 environment. During this process, SSL certificates have come up. Surprisingly, thus far my clients have chosen the VMCA method of deploying certificates. This is great, as it automates certificate deployments in a vSphere 6.0 environment. Even with the VMware certificate tools, there are some manual steps for configuring the VMCA. My vSphere 6.0 toolkit automates most of those steps.

However, while going through the process we stumbled upon a slight bug in my Toolkit when using an intermediate certificate authority. I’ve since fixed that bug, and uploaded the latest vSphere 6.0 SSL Toolkit here.

I’ve been exceptionally busy the last few months, which is why blogging and updating the Toolkit script has taken a back seat. But I did want to get this script update pushed out so other customers don’t run into VMCA problems.

If you are unfamiliar with my vSphere 6.0 SSL Toolkit, then read up on my full vSphere 6.0 installation series here.

VMworld 2015 Thoughts

So literally just a few minutes ago I landed in San Diego, back from another long week at VMworld. This was particularly long, as on the Saturday before all the festivities there was a VCDX town hall meeting. There, we got to meet Pat Gelsinger (CEO) and a number of VMware CTOs. It was a very interactive session, mostly Q&A with questions from the attending VCDXs. Unfortunately a mass closure of the 101 prevented or delayed some coming down from SF. I think the town hall was fun, and I hope it becomes a regular part of VMworld. A big thanks to the organizers!

Sunday was also quite busy. First, it started out with breakfast at Mel’s. Apparently I wasn’t social enough, as I got seated at the bar and didn’t really talk to anyone. So didn’t get much out of that. I did run into several friends right outside of Mel’s as I was leaving. All afternoon was three one hour presentations at Opening Acts. These were panel discussions with well known people, about various topics such as storage, careers, and infrastructure. No blog posts about those, since transcribing real time panels is beyond difficult unless you are a pro court reporter. You can find the session list and speakers here. If you want to check out the videos, find them on YouTube here.

Sunday night started ‘party central’ at VMworld. I spent most of the time at the Nutanix party, mingling with our plethora of VCDXs, execs, customers, and partners. Great time! I wanted to make it to #VMunderground party at 8PM, but sadly didn’t make it over there. Next year!

Monday morning started off bright and early at 8am with a session about vCenter Server Appliance, and how it should be your first choice. Next up was the general session. To be frank, I was a bit disappointed at the general sessions lately. No ‘big bang’ or ‘wow’ announcements from VMware. vSphere 6.0 was old news (released in March 2015), and they didn’t talk much about vSphere v.Next. They did emphasize containers, hybrid clouds, cloud native apps, and EUC. One of my favorite VMware execs, Kit Colbert, made a great appearance. I really respect that guy! You can find recordings of all general sessions here.

The remainder of the day was spent attending sessions. You can find real time blog posts of nearly all the sessions I attended if you select the VMworld 2015 filter on the right side of my blog. Monday night was also party central. Frankly I’ve forgotten which parties I attended, but it was fun mingling with fellow geeks, getting recognized, and talking to blog fans.

Tuesday was more of the same, with an early general session, and a bunch more technical sessions. Of course more parties at night! Too much of a blur to recount where all I went. Nutanix also had a dinner that I attended, after which I headed to the vExpert/VCDX party sponsored by VMware.

Wednesday I was disappointed I was unable to attend the annual breakfast with Calvin from HP at Sears, due to a Nutanix session at 8AM. That was a great panel discussion with 3 customers and Josh Odgers, talking about their real world experiences with the Nutanix platform. I actually did transcribe most of that session, which you can find here. I did attend a session on vSphere certificates, which I found quite interesting. Certificates in vSphere 6.0 are quite different from prior versions, and for the better. Wednesday night I attended a customer dinner, then headed straight to the VMworld party.

Thursday was a little bit slower, as it was the final conference day. The general session was very interesting. Surprisingly one of the “TED” style talks involved dunking a live cockroach in cold water, snipping off its leg (while it was alive), and doing some demos with it. I hope PETA doesn’t get wind of that session. They left the cockroach in the cold water, so RIP #VMworld cockroach. Three very interesting talks, which you can check out on the video link above. The remainder of the day was technical sessions. Then I ran off to the airport, where I ran into Forbes Guthrie and we had a nice 90 minute chat.

The best part of VMworld is the community. Between vBrownbag, blog fans, meeting other bloggers, talking to book authors, networking, meeting Nutanix customers, etc. it’s a great event even if the announcements were a bit ‘ho hum’.

2015-09-03_21-10-13

VMware was very cagey about what’s coming in the next major version of vSphere, due out in 2016. One advance forward is built-in vCenter HA through an active/passive configuration. They will also eliminate the need for a 3rd party load balancer for PSCs, and build in native PSC HA. All good news! vCenter still needs a major overhaul to make it web scale active/active scale out, plus a full HTML5 interface (which they did commit to, but timing sounded like a couple of major versions away).

They did leak some info about 6.0 U1, which is due out in Q3. It will have some nifty features like a GUI for the PSC and certificate management, ability to move from an embedded PSC to external PSC, and other usability enhancements. Finally support for SQL 2012 Always on Availability groups for vCenter!

I didn’t attend many sessions on other VMware products like the vRealize suite or NSX, so those upcoming versions may also have some nifty new features. Containers, hybrid cloud and big data were also hot topics, but didn’t have time to attend those sessions.

I still can’t get over the great community at VMworld, and meeting a lot of great people. I had a blast, and look forward to VMworld 2016 in Las Vegas.

VMworld 2015: vSphere 6.0 in the Real World

Session INF4712

Compatibility Maximums – Review the document and stay within the guidelines.

vCenter 6 Platform choice: Windows and VCSA support same maximums and performance

  • Up to you, but look at things like Linux experience, licensing, existing skills, etc.

vCenter – New deployment architecture

  • PSC – SSO, License service, lookup service, vmdir, VMCA
  • vCenter – web client, inventory service, auto deploy, ESXi dump collector, syslog collector, etc.

PSC – Which architecture?

  • Embedded: Single site, no expansion past one vCenter
  • External: Supports up to 4 vCenters. HA mode is much more complex (3rd party load balancer)
  • Multiple sites – PSCs in each site, and replicate with each other.
  • Max size: 6 PSCs, 3 sites, 10 vCenters
  • Once a deployment model is chosen, you can’t change it in 6.0. U1 will allow changes.

VMware Certificate Authority – Favorite feature.

  • VMCA removes a lot of the certificate complexity
  • No longer uses self signed certificates
  • Built into the PSC
  • VMCA should you use it? Yes.
  • See KB 2111219 or my vSphere 6.0 install guide here

Standard vs. Distributed Switches

  • Always use VDS if you are licensed for it
  • Many of the past issues with VDS are now no longer an issue

VSAN and VVOLS

  • Policy based storage management
  • Not all vSphere hardware is supported. Carefully check HCLs.
  • Learning curve for operational procedures and recovery
  • May require new hardware purchase

SMP Fault Tolerance

  • Long awaited SMP support (up to 4 vCPU)
  • Basically a continuous vMotion that only stops when there’s a hardware failure
  • 10Gb NIC requirement
  • Max 4 FT VMs per host

Content Library

  • New to vSphere 6.0
  • Storage for templates, appliances, ISOs, scripts, etc.
  • Should you use it? Definitely

 

VMworld 2015: Certificates for Mere Mortals

Session INF4529

Note: Although not mentioned in this session, I have a SSL toolkit for vSphere 6.0 which makes the replacement process easier. Check out my vSphere 6.0 install guide here for all the details.

Certificate Lifecycle Management

  • VMCA: VMware certificate authority
  • VECS: VMware Endpoint Certificate store

VMCA

  • Dual Operational modes: Root CA and Issuer CA
  • Root CA: Automated, can issue other certs, all solutions and endpoint certificates are created and trusted to this root cert
  • Issuer CA: Can replace all default root CA certificate created during installation. Basically subordinate CA to your enterprise CA.

VECS

  • Repository for certificates and private keys
  • Mandatory component
  • Key stores: machine SSL certs, trusted roots, CRLs, solution users, others (e.g. VVOLS).
  • Managed through veccs-CLI
  • Does not manage SSO certificates

vSphere 6.0 Certificate Types

  • ESXi certificates – autogenerated post-install. New modes in 6.0, one of which can use VMCA certs. Can renew in webclient.
  • Machine SSL certificates – Creates server-side SSL (HTTPS, LDAP, etc.). Each node has its own machine SSL certificate.
  • Solution User certificates – Machine, vpxd, vpxd-extension, vsphere-webclient. Encapsulates one or more vCenter services.
  • Single-sign-on: Not stored in VECS. Stored in filesystem. STS certificate. Renew/update via GUI, not filesystem replacement.

Certificate Replacement Options

  • VMCA as root. Easiest deployment option.
  • VMCA as Enterprise CA subordinate – VMCA will issue certs on behalf of your enterprise CA
  • Custom CA – Only use custom certs all around. Not recommended except for Gov’t/Financial.
  • Hybrid – User facing certs replace, then let VMCA manage solution user and ESXi certs.

VMware vSphere 6.0 Certificate Manager

  • Available on both Windows and VCSA
  • Menu driven (GUI in 6.0 U1)

VMCA as Subordinate

  • RSA with 2048 bits
  • x.509v3
  • SHA256, 384 or 512
  • No wildcards in SubjectAltName
  • Cannot create subsidiary CAs of VMCA
  • Sync time for all nodes

Session videos, slides and scripts: http://vmware.com/go/inf4529

 

VMworld 2015: vCenter Server HA

Session INF4945

Why is vCenter HA important?

  • Primary administrative console
  • Critical component in end-to-end cloud provisioning
  • Foundation for VDI
  • Backup and DR solutions rely on vCenter
  • vCenter target availability is 99.99% from VMware’s design perspective (5 min a month)

 

Make every layer of the vCenter stack HA

  • vCenter DB
  • Host
  • SAN
  • Network
  • DC power and cooling

Reduce dependencies to improve nines

  • In moving from 5.1 and 5.5 to 6.0 you see a consolidation of vCenter services into VMs (e.g. just PSC and vCenter in 6.0)
  • vCenter 5.5 U3 supports SQL AAGs
  • vCenter 6.0 U1 supports SQL AAGs

Hardware/Host Failure protection: vSphere HA

  • Test tested solution
  • Protects against hardware failures
  • Some downtime for failover
  • Easy to setup and manage
  • DRS rules can be leveraged
  • High restart priority for vCenter components

Hardware/host failure protection: vSphere FT

  • Continuous availability with zero downtime and data loss
  • vCenter tested with FT for 4 vCPUs or less (only the ‘tiny’ and ‘small’ deployments fit)
  • About 20% overhead
  • Downtime during guest OS patching

Application failure protection: Watchdog

  • Watchdog monitors and protects vCenter applications
  • Automatically enabled on install on VCSA and Windows
  • On failure watchdog attempts to restart processes, if restart fails then VM is rebooted
  • Separate watchdog per vCenter server component

Application failure protection: Windows Server Failover clustering

  • Provides protection against OS level and application downtime
  • Provides protection for database
  • Some downtime during failure
  • Reduces downtime during OS patching
  • Tested with vCenter 5.5 and 6.0

Platform Services Controller HA

  • Two models: Embedded PSC or external PSC
  • PSC high availability in 6.0 requires a third party load balancer (removed in future vSphere versions)
  • Multiple PSC nodes in same site

vCenter Backup

  • Backup both embedded PSC and external PSC configurations
  • Recover from failures to vCenter node, PSC node or both
  • When vCenter node restored, it connects to PSC and reconciles the differences
  • When PSC node restored, it replicates from the other nodes
  • Uses VADP
  • Out-of-the box integration with VMware VDP

Tech Preview (vSphere 6.1?): Native HA

  • Native active-passive HA
  • Uses witness
  • No third party technology needed
  • Recover in minutes (target is 15 minutes), not hours
  • Protects against hardware, host and application failures
  • No shared storage required
  • 1-click automated HA setup
  • Fully integrated into the product
  • Out of box for the VCSA

VMworld 2015: vSphere 6 Certificates

Session INF4946

Today

  • Why does VMware use PKI?
  • PKI – The good, bad and ugly
  • Chose your deployment to maximize operational security
  • Tech preview demonstration

Shows a slide of many recent companies that were hacked

Certificates are used in vSphere to maintain trust. Used for solution users, encryption and SAML tokens

Using PKI does not guarantee security. Security companies get hacked. Operational security can make PKI fail.

PKI: The Good, Bad and Ugly

The Good: Mature, robust, 30 years old, open, tried and trusted, can be automated and auditable

The Bad: Complex to implement, difficult to manage without automation

The Ugly: Not immune to vulnerabilities, CA compromise shatters PKI

Simplify: The vSphere Platform Services controller

  • VMware CA in PSC generates certs, generates CRLs, manages certificate lifecycle
  • VMware endpoint certificate store – stores certificates and keys, syncs trusted certs, syncs CRLs
  • VMware Directory Service – Stores identity resources, multi-master replication, domain structure, licensing, tagging
  • STS and SSO – Integrated Windows auth, AD integration, SAML tokens

vSphere 6.0 vCenter Certificates – Simplified

  • Root CA – VMCA root CA
  • SSL – MACHINE_SSL
  • Solution users – 4 certificates for 13+ services
  • STS signing cert
  • VMDir certificate
  • ESXi certificate

vSphere 6.0 ESXi Certificates

  • ESX auto-generates certificates at installation
  • Certs are stored locally, not in VECS
  • VMCA mode
  • Custom mode – with custom certs
  • Thumbprint mode – not recommended

VMCA Root CA and Machine SSL Certificates

  • Root CA – Validity 10 years, 2048 bit
  • Machine SSL –
  • Solution user – 10 years
  • ESXi cert – 5 years

Deployment Scenarios

  • VMCA as Root CA – easy and for most customers
  • VMCA as intermediate CA – can introduce some risk, but also easy.
  • Hybrid – very common. User facing certs are trusted, VMCA for solution users
  • No VMCA – Highly secure only (finance), very manual.

Certificate Management Tools

  • Certool – Command line interface
  • Certificate management utility – for Windows and Linux
  • Tech preview for 6.0 U1: PSC UI –
  • Tech preview Platform service SDK – client libraries for remote execution

PSC UI – HTML 5 based (HTTPS://PSC/PSC)

  • Ability to upload and renew certificates in GUI

PKI: Deep Dive walkthough – Revocation

VMware services do not do revocation checking. You can delete the certs in the VMCA and the entire VMCA itself, though.

Tech Preview – vSphere Certificates and load balancers.

  • In 2016 vSphere will remove load balancer for HA PSCs.
  • Two PSCs per site are recommended

Tech Preview for Lifecycle management

  • PowerCLI for ESX host certificate replacement
  • Platform service SDK- C , Java, python

Project Lightwave

  • Open source VMCA, VECS, VMDirectory
  • On GitHub

 

VMworld: What’s new in vSphere 6.0?

Session INF5060

VMware’s architecture for IT: Any device, any application, one cloud

EVO SDDC is about deploying a new datacenter in less than two hours

Compute strategic imperatives: Cloud native infrastructure, hybrid cloud, virtualization leadership

vSphere 6.0 – Largest vSphere release ever

  • Shipped March 2015
  • 2x to 4x scale increase across the platform
  • Enhanced 2D/3D support with NVIDIA Grid
  • Rapid provisioning with 10x faster instance clone
  • Content library
  • More responsive web client
  • 64 hosts in a cluster
  • Long distance vMotion and cross-vCenter vMotion, SMP-FT
  • VMware integrated OpenStack
  • Extended containers support – CoreOS

Key stats:

  • 30% of customers are running 6.0
  • 100K downloads since GA

vSphere 6.0 U1

  • vCSA – easier to install and upgrade
  • Web client – VUM support
  • Faster maintenance mode -4x to 7x improvement
  • Certificate authority – CLI to UI
  • Live refresh in web client
  • VCSA performance increased by 20%
  • vSphere APIs for IO Filtering – 3rd party plug-ins

How does VMware enable containers?

  • Photon OS
  • Instant Clone
  • APIs for orchestration

VMware photon platform – future

  • Photon machine
  • Photon OS
  • Support for 100K containers or more
  • Available in 2016

Unified hybrid cloud allows best of both worlds

Cross-cloud vMotion and content sync with vCloud Air

 

© 2016 - Sitemap