Archives for April 2012

Install Trusted SSL Certificate in Cisco UCS Manager

One of the tasks you should complete during the installation of the Cisco UCS Manager is configuring the Fabric Interconnects with a trusted SSL certificate. The procedure is straight forward, and only needs to be completed once, since the two Fabric Interconnects are clustered and the configuration is replicated between the two devices. In my example I’m using a Windows Server 2008 R2 Certificate Authority, but any CA should work, but the steps will vary a bit.

1. Login to your Windows CA web services site (https://yourCA/certsrv) and click on Download a CA certificate, certificate chain, or CRL.

2. On the next screen select the current root certificate, Base 64 encoding, and then click on Download CA certificate chain.

3. Save the P7B certificate file and open it in a text editor such as Notepad. Paste the contents of the file to the clipboard.
4. Login to the Cisco UCSM and click on the Admin tab. Right click on Key Management and select Create Trusted Point. Enter a name for this trust point, such as the name of your CA. Then paste the contents of the clipboard into the certificate chain window. Click OK.
5. Right click on Key Management and select  Create Key Ring. Enter a keyring name, and select the modulus (I’d pick 2048). Left click on the new keyring and then click on Create Certificate Request. In the certificate request fill out the information appropriate. Use the FQDN for the “DNS” field and for the “Subject” name use the short hostname. The IP address should be the UCSM VIP (cluster) IP address. Click OK.

6. In the next window copy the request text to the clipboard. Login to your Windows CA then click on Request a certificate, advanced certificate request, then submit a certificate request by using a base-64 encoded CMC of PKCS#10 file. Paste the certificate request into the window provided, and select the appropriate certificate template, such as web server.
7. Download the certificate as Base 64 encoded, open it in notepad, then copy the contents to the clipboard. Back in UCSM under the certificate request expand Certificate and select the appropriate trust point, then paste the certificate into the window. Click Save Changes.  
8. In the Admin tab under Communication Management click on Communication Services. Change the HTTPS configuration to use the new keyring that you configured.
9. If you now log out of UCSM and connect to the URL with your web browser your browser should now show a trusted certificate for the management interface.
And there you go! Your UCS Fabric Interconnects are now using a trusted SSL certificate. Yes, we can now all sleep better at night.

Cisco UCS Microsoft SCOM 2012 Management Pack

For those of you using Cisco UCS servers and the new Microsoft Systems Center Operations Manager 2012, check out the UCS Management Pack v2.5. You can download it from here. According to the release notes the following operating systems are supported:

Windows Vista
Windows Server 2008
Windows Server 2008 R2
Windows 7

What’s new in this release?

New alerts were added:

  • UCS login Authentication Failure. This alert is logged when the user supplied Credentials are not correct. It is detected as a result of aaaLogin returning error.
  • UCS Connectivity Failure. This Alert is logged when UCS is not available for a continuous time period of 10-15 minutes. This Alert helps detect UCS unavailability. This can be caused by UCS being down or other Network issues.
  • Notification Channel Configuration Error. This Alert is logged when a user Acknowledges a fault, while not having properly configured the Command Notification Channel options. The notification channel command arguments have changed with this version and this alert will warn if the user misses to change them.
  • Acknowledging Fault with Read-Only privileges. This Alert is logged when a user with Read-Only privileges acknowledges an alert. Only users with Administrative privileges can acknowledge alerts.

The next version will have a number of improvements including:

  • Bidirectional communication works only on the Machines which have  the SCOM console, Management Server as well as the Cisco UCS management pack installed. This will be addressed in the next release.
  • Overriding alert severity is not supported.  Support for it will be added in the next release.
  • Detailed knowledge base for every alert is not available in this release. Support for it will be added in the next release.
  • HTTP connection with redirection enabled on the UCS does not work. This will be addressed in the next release.

Cicso UCS Platform Emulator Updated

If you are a Cisco UCS customer and want to experiment with configurations but don’t want to mess up your production environment, Cisco offers the free UCS Platform Emulator VM. They regularly update the emulator, and their most current version is v2.0.94849.368934. You can download the emulator here. You can quickly import the VM into VMware Workstation with just a few clicks. Unfortunately there’s no release notes for this build, so we don’t know what changed from the prior release. The emulator still does not support the new B200 M3 blades, unfortunately.

Note: It appears creating a keyring and importing a trusted root certificate is broken in this release. It will not calculate the fingerprint of the certificate and you cannot create a certificate request.

Free Veeam VMware Management Pack for MS System Center 2012

For those of you that don’t already have a good monitoring solution for your VMware infrastructure, and use MS Operations Manager, you need to check out the Veeam Management Pack. It’s a good solution for single pane monitoring of your MS and VMware infrastructure. They are currently running a special for new customers that you can get a 10 socket license pack for free here.

Official announcement is below:

FREE 10 sockets of Veeam Management Pack

The Veeam Management Pack 10-Pack – a free VMware monitoring solution exclusively for new Veeam MP customers worldwide who are using Microsoft System Center 2012.

The Veeam Management Pack 10-Pack includes:

  • A free 10-socket license of the Veeam Management Pack for deep VMware monitoring in System Center 2012
  • One full year of maintenance and support

What is Veeam Management Pack for VMware?

The Veeam Management Pack provides scalable, fault-tolerant and agentless VMware infrastructure monitoring and management directly in Microsoft System Center.

Veeam MP enables you to:

  • Protect investments in System Center with integrated VMware monitoring
  • Manage physical and virtual infrastructure from one console
  • Eliminate the cost of additional monitoring frameworks


To qualify for this offer, you must be new to the Veeam MP and have System Center 2012 or plans to deploy it soon.

HP Insight Management 7.0 Features

Ever since I can remember Compaq/HP has offered their Insight Manager. Hot off the presses is their new 7.0 version which sports some major upgrades. You can download the multi-gigabyte ISO images here for free. Even if you don’t use Insight Manager, you might be very interested in their totally new Insight Control for VMware vCenter Server. See the end of the feature list below for all the new goodies. If you have HP BladeSystem and Virtual connect the previous version was very good for mapping all of the networks through Virtual Connect and into the VMs. Hopefully they will release the 7.0 version soon.

  • ProLiant next-generation (Gen8) servers supported
  • Database support for Microsoft SQL Server 2008 SP3 and Microsoft SQL Server 2008 R2 SP1
  • HP Systems Insight Manager 7.0:

    • KVM hypervisor support on RHEL 6.1 and SLES 11
    • Updated licensing reports
    • HP SUM integration support for software/firmware baselines
    • HP SUM integration support for off-line firmware upgrades (tech preview only)
    • Discovery & identification of HP Networking A-series products (3COM)
  • HP Insight Control 7.0:

    • Intelligent Power Discovery for HP BladeSystems
    • Enhanced power and thermal reporting with under-utilized server reports
    • Easy power configuration modifications (using ipmimport)
    • Data Center Power Control (DCPC) support for goal-oriented responses to power & cooling events
    • Updated performance recommendations on memory configurations
    • Performance management using network adapter (NIC) teaming and configurable monitoring administration
    • Full VMware ESXi 5 support (lockdown/non-lockdown modes, autoboot, stateless/stateful modes)
    • Server migrations across iSCSI and FibreChannel over Ethernet (FCoE), and across Linux SAN environments
  • HP Insight Control for Microsoft System Center 7.0:

    • HP ProLiant Agentless Management Pack can manage the health of new ProLiant Gen8 servers without the need for loading SNMP agents or WBEM providers
    • HP ProLiant Updates Catalog uses System Center Configuration Manager to install and update ProLiant drivers and firmware using HP Service Pack for ProLiant
    • HP ProLiant Linux Management Pack and HP ProLiant VMware Management Packs are now available separately, providing additional installation choice and flexibility
  • HP Insight Control for VMware vCenter Server 7.0 (coming soon):

    • Support of new HP ProLiant Gen8 servers Agentless Management that delivers health monitoring and configuration data without the need for loading Insight Control agents or CIM providers on the VMware hosts
    • Enhanced bare-metal deployment: Deploy ESX/ESXi on HP ProLiant Gen8 servers from VMware vCenter using the HP Insight Control Deployment Wizard
    • Complete refresh of the user interface delivering a new look and feel in the following areas:

      • Optimized view of the converged infrastructure health and configuration dashboards
      • Grouping of all the plug-in actions and control capabilities under one button
      • Integration of a News Feed in the main area to deliver updates on health, configuration changes and actions results
      • Dark and white theme selection
    • Easier to use integrated installer for both the server and storage modules
    • Active Directory support for role based security

vSphere 5.0 Hardening Guide Draft Release

A few days ago VMware released a public draft of the vSphere 5.0 Hardening Guide. Unlike the vSphere 4.0 Hardening Guide that I’ve talked about before, this version only comes in an Excel Spreadsheet form. Personally, I think the PDF format of the 4.0 Guide is easier to read, but the spreadsheet is good for tracking and sorting of the various parameters. Since the hypervisor is the underpinings of your environment, it is extremely critical that it be secured. A “click next” installation of ESXi, vCenter, network configuration, and VM deployment is just waiting to be compromised.

You can find the vSphere 5.0 Hardening Guide – Public Draft here.

vSphere Web Client Service Stops

One of the new features added to vSphere 5.0 is a web client. The web client is a slimmed down version of the vSphere client that you can access from a browser. It doesn’t have 100% of the features of the fat vSphere client, but it’s a great way to do basic configuration changes or monitoring. It’s also required if you want to check your vSphere 5.0 license compliance, as vCenter has no native vRAM reporting functionality. Installing the vSpere Web Client server is very straight forward, and is done from the home page of the vSphere 5.0 installer, as shown below.

However, in every environment I installed this service on, it was never functional. If I looked at the Windows services I saw the vSphere Web Client service, however shortly after starting it would stop with no obvious error messages. All I saw in the Windows System Event log was:

Event 7036 The vSphere Web Client service entered the stopped state.

And if I tried to go to the URL ( I could not connect. After some research, it appears that a common DoD configuration setting of disabling 8.3 style filename name generation could be the root cause. I didn’t want to disable that configuration setting, so after more research there’s a relatively simple workaround!

1. You need to create a symbolic link that points to the vSphere web client folder. By default that is at:

C:Program FilesVMwareInfrastructurevSphereWebClient.

 However, in my case I never install software on the C: drive, so my path is:

D:Program FilesVMwareInfrastructurevSphereWebClient

To create a symbolic link on the D: drive use this command line:

mklink /d D:VWC “D:Program FilesVMwareInfrastructurevSphereWebClient”

You should now see a “shortcut” looking folder at the root of your D: drive, as shown below.

2. Modify the registry for the vSphere Web Client service to point to the symbolic link instead of the full path. The registry key is located at:


Modify the ImagePath data value and replace all of the paths with the symbolic link path. Shown below is the modified data, which is shown wrapped but is one line in the registry key.

“D:vwcDMServerbinservicebinwrapper.exe” -s “D:vwcDMServerbinserviceconfwrapper.conf” “set.default.SERVER_HOME=D:vwcDMServer” set.default.JMX_PORT=9875

3. Start the vSphere Web Client service via the Service Manager GUI, or use the following command line. Give it a couple of minutes and ensure the service does not go into a stopped state. If it keeps running then you should be good to go!

net start vspherewebclientsvc

4. If you have Adobe Flash installed on your server (BAD idea!!!) then you can configure the Web Client by going to https://localhost:9443/admin-app/. If you value security and don’t have Flash on your server, you need to register it using the command line:

cd “d:Program FilesVMwareInfrastructurevSphereWebClientscripts”

Then enter the following command (on a single line), using the FQDN of your vCenter server:

admin-cmd.bat register domainvcenter-admin-account yourpassword

When prompted about trusting an SSL certificate enter Y and then after you see the thumbprint press A to ignore future warnings. You should then see a successful registration message.

5. Now that the service is running and you’ve registered the service, you should now be able to go to the the FQDN of your vCenter server with the URL below and get the VMware vSphere Web Client login.

6. If that works, you can now access the very exciting licensing state of your vSphere 5.0 hosts. To do that, use the fat vSphere client and connect to your vCenter server. Click on the Licensing icon on the home page, then click on the Reporting tab. You will need Adobe Flash player to view the report, so this is best done from a client and not a server.

And there you go! A functional vSphere Web Client, and you can check your vRAM licensing compliance. This workaround is required in vSphere 5.0 and vSphere 5.0 Update 1.

vSphere Host Compliance Failures: Fault Tolerance not supported

During a recent vSphere 5.0 cluster setup, in which I had no need for Fault Tolerance, I kept getting a profile compliance failure for the cluster. The compliance errors were:

Fault Tolerance is not support on this host. Reason:
Fault Tolerance is not support on this host. Reason: FT logging is not enabled

It’s bad practice to just live with compliance errors if there’s really no underlying error. What if there was another cluster compliance issue and you were just used to the red X for the FT issue? If you know you aren’t going to be using FT, then there’s a simple fix. Edit the cluster properties and edit the vSphere HA Advanced Options.

Add the following advanced option: das.includeFTcomplianceChecks and set the value to false.

The setting takes effect immediately, and if you now check the cluster compliance status, it should be Compliant, assuming no other issues are found.

I’m a VMware vExpert for 2012!

Quite unexpectedly tonight I got an email from VMware telling me that I’ve been designated a VMware vExpert 2012. According to the welcome e-mail:

You’ve done work above and beyond, helping others succeed with VMware, and we here in the Social Media and Communities team are delighted to welcome you to the program. VMware vExperts are a special group, a network of peers, who communicate with each other and VMware closely, share resources, and get other opportunities for greater interaction throughout the year.

I am very honored and humbled at being chosen! I have a true passion for virtualization and look forward to continuing to contribute to the VMware community and ecosystem. My listing in the VMware vExpert directory is here. Thank you VMware!

Creating Cisco UCS Customized vSphere 5.0 U1 Bootable ISO

UPDATE 2 5/15/2012: Looks like VMware/Cisco pulled the 5.0 U1 custom ISO installation media. So follow my blog post below to create your own.

UPDATE 1 4/23/12: Cisco released a customized vSphere 5.0 U1 installation ISO with all of their latest drivers. You can download it here under OEM Customized Installer CDs. The instructions below are still valid, and would be good for incorporating future updates in your ISO image. 

Some vendors, like HP, produce customized VMware installation ISOs that have all of their drivers integrated. This is a great time saver, but unfortunately Cisco does not provide customized vSphere 5.0 installation media with the very latest drivers. Starting with vSphere 5.0 VMware gave users a method to build their own installation media and include updated packages, such as drivers. The procedure below creates a bootable ISO image using the very latest ESXi build (5.0 U1 plus the latest patches). Your machine must be connected to the internet, as it will pull down the latest bundles in real time. You do NOT need to start with an offline depot.

1) Open a PowerCLI window with Administrator rights and type the following command:


2) At this point you can list all of the packages in the depot with the following command. A partial listing is shown below.
Get-EsxSoftwarePackage | select Name,Version,ReleaseDate | sort ReleaseDate
3)  Download the driver packages for your hardware from the following VMware URLs. Personally I would suggest you download all of them, so you don’t have to rebuild the image if you get a different server model.
4) You need to unzip each of the files that you downloaded, which will reveal another ZIP file and a VIB file, among others. We will be using the embedded bundle ZIP files. If you downloaded all of the drivers, unpacked them, and moved the bundled ZIPs to a single directory it should look like:
5) Repeat step 1 from above, but substitute the bundle zip files from the above screenshot. A sample is below:
add-esxsoftwaredepot E:\
add-esxsoftwaredepot E:\fnic_driver_1.5.0.7-offline_bundle-563432
6) Now you want to create a copy of the “latest” VMware profile and give it a unique name. To list all of the standard ESXi profiles use the following command:
Get-EsxImageProfile | Sort-Object “ModifiedTime” -Descending | format-table -property Name,CreationTime
7) You will notice that the latest profile has a date of 4/16/2012, but the build number is only 469512, which is far from the latest build. The latest build is actually ESXi-5.0.0-20120404001-standard. You can validate the latest patch build here. Update: Looks like the 4/16/2012 builds were a glitch, as the profile list on 4/17/2012 no longer showed the 4/16 builds and the latest was in fact the 3/16/2012 build.
8) Now you need to build a new profile based on the latest patch build. I called my new profile “ESXi-5.0.0-UCS-04152012“. The build profile name will be displayed during the boot selection process if you create an installable ISO file, so think about the name you use.
new-esximageprofile -cloneprofile ESXi-5.0.0-20120404001-standard
-name “ESXi-5.0.0-UCS-04152012”
9) After you create a new image profile, you now want to add the updated UCS drivers to the profile. To determine what software package name to use, look in your driver directory at the VIB filenames. The filename prefix (e.g. net-be2net) is what you will want to use when adding the driver files.

When I tried to update the scsi-megaraid-sas bundle it said it already existed, so I skipped that in example below.  To add the remaining drivers issue the following commands:

add-esxsoftwarepackage -imageprofile ESXi-5.0.0-UCS-04152012 net-enic
add-esxsoftwarepackage -imageprofile ESXi-5.0.0-UCS-04152012 scsi-fnic
add-esxsoftwarepackage -imageprofile ESXi-5.0.0-UCS-04152012 scsi-lpfc820
add-esxsoftwarepackage -imageprofile ESXi-5.0.0-UCS-04152012 net-ixgbe
add-esxsoftwarepackage -imageprofile ESXi-5.0.0-UCS-04152012 net-be2net
add-esxsoftwarepackage -imageprofile ESXi-5.0.0-UCS-04152012 scsi-qla2xxx
add-esxsoftwarepackage -imageprofile ESXi-5.0.0-UCS-04152012 net-qlcnic
add-esxsoftwarepackage -imageprofile ESXi-5.0.0-UCS-04152012 net-qlge
10) To validate that your new profile in fact has the updated and new UCS drivers, use the following command:
compare-esximageprofile -comparisonprofile ESXi-5.0.0-UCS-04152012 -referenceprofile ESXi-5.0.0-20120404001-standard
As you can see in the screenshot below two new drivers were added to our custom image (net-qlge and net-qlcnic) while four others were upgraded. So yes, our custom image did get injected with the new drivers.
11) To create a customized bundle that you can use later, issue the following command:
export-esximageprofile -imageprofile ESXi-5.0.0-UCS-04152012 -exporttobundle -filepath e:\
12) To create a customized bootable ISO image, issue the following command:
export-esximageprofile -imageprofile ESXi-5.0.0-UCS-04152012 -exporttoISO -filepath e:\ESXi-5.0.0-UCS-04152012.ISO
13) If all goes well, and you use the exact same bundles that I did, when you install ESXi 5.0 you should see build 623860.