Archives for March 2015

Top vBloggers Announced!

Each year Eric Siebert from vSphere-Land.com has an annual voting for the top vBloggers in the world. Competition is fierce and back in 2013 I was honored with getting position #24, for which I was thrilled. Then came along more SSL woes with vSphere 5.5, and my vCenter Toolkit was born. In 2014 I then moved up to position #12, and couldn’t have been happier. A lot of other great Nutanix talent also rounded out the Top 25 last year. Now, in 2015 I’m proud to say that I broke into the top 10 at #7!

I want to thank everyone that voted. All of the Top 25 bloggers do amazing work, and I’ve learned a lot from all of their posts. Blogging takes a lot of time, and How-to’s are especially time consuming due to all the testing. For the full list of Top 25 bloggers, you can read Eric’s post here.

2015-03-31_11-02-57

vSphere 6.0 Install Pt. 10: Install VCSA PSC

New to my vSphere installation series is using the pre-packaged vCenter appliance (VCSA). Now that the VCSA is on par with the Windows vCenter server, I suspect more and more people will migrate to the appliance. So to that end, let’s install an external PSC using the VCSA. If you are using a Windows-based external PSC, then you can skip this blog post and go directly to Part 11 (VMCA as subordinate) when that gets published.

Blog Series

vSphere 6.0 Install Pt. 1: Introduction
vSphere 6.0 Install Pt. 2: Platform Services Controller
vSphere 6.0 Install Pt. 3: Certificate Management
vSphere 6.0 Install Pt. 4: vCenter Upgrade Best Practices
vSphere 6.0 Install Pt. 5: ESXi Upgrade Best Practices
vSphere 6.0 Install Pt. 6: Install Windows PSC
vSphere 6.0 Install Pt. 7: Config SQL DBs
vSphere 6.0 Install Pt. 8: Toolkit Configuration
vSphere 6.0 Install Pt. 9: SSL Templates
vSphere 6.0 Install Pt. 10: Install VCSA PSC
vSphere 6.0 Install Pt. 11: VMCA as Subordinate
vSphere 6.0 Install Pt. 12: PSC Machine Certificate
vSphere 6.0 Install Pt. 13: Directory Services Certificate
vSphere 6.0 Install Pt. 14: Windows vCenter Install

Permalink to this series: vexpert.me/Derek60
Permalink to my Toolkit script: vexpert.me/toolkit60

Deploy VCSA PSC

1. Download the VCSA ISO (yes ISO, not OVA) and mount it on a Windows VM.

2. Open the root of the ISO and click on the vcsa-setup.html file.

3. Since I’m assuming a fresh install, click on Install.2015-03-29_19-42-354. Accept the license agreement and click Next.

5. Enter the FQDN or IP address of the ESXi server which you want the PSC deployed on. Enter the associated credentials. Click next and wait for the verification to complete. You may get a warning about an untrusted SSL certificate. Accept it.

2015-03-29_19-48-33

6. On your DNS server configure A and PTR records for the PSC’s address. This is critical!

7. Enter the FQDN of your appliance, and a complex password. If your password is not complex enough it will warn you and provide the complexity requirements.

2015-03-29_19-51-28a8. Next up, select the PSC option and click Next.

2015-03-29_19-53-06

9. Now we get to configure SSO. Yippee! Since I’m assuming a new install, I’ll create a new SSO domain, enter a complex password, and SSO site name. Remember that you should NOT set your SSO domain name to the same as your Windows domain. You could use a sub-domain, such as sso.contoso.local. I’m sticking with vSphere.local.

2015-03-29_19-55-03

10. The appliance is automatically sizes for 2 vCPUs and 2GB of RAM. Not bad for a PSC. Click Next.

11. Next up is datastore selection. In my home lab I have datastores on my QNAP and VSAN. I’ll go with VSAN here.

2015-03-29_19-58-07

12. Now you get to configure your network settings. Everything here is self-explanatory. I used the public NTP servers for accurate time, and also enabled SSH (lower down on the screen).

2015-03-29_20-02-05a

13. On the summary screen review all of the details to ensure they are correct.

2015-03-29_20-04-18

14. Sit back for a few minutes and wait for your VCSA-based PSC to be installed!

2015-03-29_20-11-58

Summary

We walked through the manual process of deploying a VCSA-based PSC in your environment. The VMware wizard is very straight forward, and makes deploying the VCSA very easy. If you want to automate the deployment of the VCSA, check out William Lam’s awesome multi-part guide here. You can also check out an ‘official’ method of command line deployment here. Next up will be configuring the VMCA as a subordinate CA, which you can find here.

vSphere 6.0 Pt. 9: SSL Templates

VMware has provided new SSL template guidance for vSphere 6.0. New to vSphere 6.0 are machine SSL certificates, solution user certificates, and using the VMCA as a subordinate CA. If you are using an enterprise Microsoft CA, then this article is for you. I’ll show you how to create the new templates and publish them within your CA. You can then go into my vCenter Toolkit and change the template names to match. If you are not using a Microsoft CA, then you are on your own for creating the right templates in your particular CA. Again, you shouldn’t be using a public CA for these certificates. Use an internal enterprise CA.

April 2, 2015 Update: VMware has informed me that VUM 6.0 MUST use the old vSphere 5.5 certificate template. VUM 6.0 is NOT compatible with the new machine certificate template which debuted in 6.0. So jump to my 5.5 SSL template guide here and create the VMware-SSL template if it does not exist in your environment. If you followed my 5.5 guide and already have the template, then you are set.

Blog Series

vSphere 6.0 Install Pt. 1: Introduction
vSphere 6.0 Install Pt. 2: Platform Services Controller
vSphere 6.0 Install Pt. 3: Certificate Management
vSphere 6.0 Install Pt. 4: vCenter Upgrade Best Practices
vSphere 6.0 Install Pt. 5: ESXi Upgrade Best Practices
vSphere 6.0 Install Pt. 6: Install Windows PSC
vSphere 6.0 Install Pt. 7: Config SQL DBs
vSphere 6.0 Install Pt. 8: Toolkit Configuration
vSphere 6.0 Install Pt. 9: SSL Templates
vSphere 6.0 Install Pt. 10: Install VCSA PSC
vSphere 6.0 Install Pt. 11: VMCA as Subordinate
vSphere 6.0 Install Pt. 12: PSC Machine Certificate
vSphere 6.0 Install Pt. 13: Directory Services Certificate
vSphere 6.0 Install Pt. 14: Windows vCenter Install

Permalink to this series: vexpert.me/Derek60
Permalink to my Toolkit script: vexpert.me/toolkit60

Machine SSL and Solution User Certificates

1. Login to your issuing CA and launch the Certificate Authority MMC snap-in.

2. Locate the Certificate Templates folder, right click, and select Manage.

2015-03-30_10-44-143. Locate the “Web Server” template, right click, and duplicate it.

4. Click on the General tab and name it “vSphere 6.0”. You will use the “Template name” in my Toolkit script as the template name, FYI. 2015-03-30_10-57-025. Click on the Extension tab, click on Application Policies, then Edit. Remove Server Authentication and click OK.

2015-03-30_11-00-05

6. Select Key Usage, then click on Edit. Check the box next to nonrepudiation.

2015-03-30_11-00-517. Click on Subject name. Ensure that “Supply in the request” is selected.2015-03-30_11-02-558. Click on the Compatibility tab and ensure the Windows server 2003 is selected for both options. Even if you are running a newer CA, don’t select later CA options.2015-03-30_11-04-429. Close the Certificate Templates console window, right click on Certificate Templates, select New, then Certificate Template to Issue. Find the vSphere 6.0 template and select it. Click OK.

VMCA Subordinate Template

You only need this template if you will be using the VMCA as a subordinate CA to your enterprise CAs. If you are going to be using fully custom SSL certificates without the VMCA, you can skip this template.

1. Login to your issuing CA and launch the Certificate Authority MMC snap-in.

2. Locate the Certificate Templates folder, right click, and select Manage.

2015-03-30_10-44-14

3. Locate the “Subordinate Certificate Authority” template, right click, and select Duplicate.

4. On the General tab change the name to “vSphere 6.0 VMCA”. Also, it’s important to check the box to publish the certificate to Active Directory. This will ensure all computer trust your VMCA. For my Toolkit script you will use the template name of “vSphere6.0VMCA” (no spaces).2015-03-31_7-34-38

5. Click on the Compatibility tab and change both compatibility settings to Windows Server 2008. This enables hashing algorithms stronger than SHA1 to be used.

2015-03-30_11-25-02

6. Click on the Extensions tab. Select Key usage and click Edit. Verify that all the options shown below are checked.

2015-03-30_11-26-087. Close the Certificate Templates console window, right click on Certificate Templates, select New, then Certificate Template to Issue. Find the vSphere 6.0 VMCA template and select it. Click OK.

Summary

VMware has changed the security template requirements in vSphere 6.0. They’ve also introduced a new template requirement, if you are going to be using the VMCA as a subordinate CA. You need both templates if you are going to take full advantage of the new certificate features in vSphere 6.0. If you still have a VMware SSL template from prior versions, keep it around, in case you need to re-issue certs for your legacy environment. Remember to update the variables in my Toolkit script to match the new template names.

Next up in this series is installing a VCSA-based PSC, in case you want to go that route versus using a Windows PSC. You can find that article here.

vSphere 6.0 Install Pt. 8: Toolkit Configuration

Now that we have the PSC installed, it’s time to configure the variables for the Toolkit script, and also make sure we can download our root certificates. Depending on your configuration, you may need to manually download your root public certificates. VMware needs certificates in a specific format, and they need the full certificate chain. So in this installment I show you all the variables in the Toolkit script that you will need to change to make it successful. In subsequent installments we will then use the Toolkit to setup the VMCA and other certificate options.

April 2, 2015 Update: Per VMware, VUM 6.0 can NOT use the vSphere 6.0 SSL template. So I’ve added a new variable called $VUMTemplate for the old 5.5 SSL template name. You can find instructions for creating the vSphere 5.5 template here.

Blog Series

vSphere 6.0 Install Pt. 1: Introduction
vSphere 6.0 Install Pt. 2: Platform Services Controller
vSphere 6.0 Install Pt. 3: Certificate Management
vSphere 6.0 Install Pt. 4: vCenter Upgrade Best Practices
vSphere 6.0 Install Pt. 5: ESXi Upgrade Best Practices
vSphere 6.0 Install Pt. 6: Install Windows PSC
vSphere 6.0 Install Pt. 7: Config SQL DBs
vSphere 6.0 Install Pt. 8: Toolkit Configuration
vSphere 6.0 Install Pt. 9: SSL Templates
vSphere 6.0 Install Pt. 10: Install VCSA PSC
vSphere 6.0 Install Pt. 11: VMCA as Subordinate
vSphere 6.0 Install Pt. 12: PSC Machine Certificate
vSphere 6.0 Install Pt. 13: Directory Services Certificate
vSphere 6.0 Install Pt. 14: Windows vCenter Install

Permalink to this series: vexpert.me/Derek60
Permalink to my Toolkit script: vexpert.me/toolkit60

Derek’s Toolkit Script

My Toolkit PowerShell script performs several tasks and is menu driven. It’s an all in one script, meaning it handles online/offline CAs, Windows CA and non-Windows CAs, and will also do other install tasks like create your ODBC and SQL database files connectors. New for vSphere 6.0 are automation steps for the VMCA and added support for three tier CA hierarchy (root and two subordinates).

My Toolkit script does NOT replace the VMware certificate replacement tools, it only augments them. So you would normally use the combination of my Toolkit script plus the VMware certificate management tools for full SSL certificate replacement. I did this specifically so that customers would be fully supported by VMware, even if they use my tool. I just make the process easier, I don’t do any behind the scenes hacking or unsupported commands.

I am still in the process of developing the script, so some of the vCenter SSL features are disabled in the initial versions until I work through the full process. But much of the script is functional in this initial version.

The script has the following features:

  • Downloads and installs the proper version of OpenSSL if it’s not already installed
  • Creates 2048 bit RSA private keys in the proper format
  • Downloads both the root and up to two subordinate public certificates
  • Submits the CSRs to the online CA and downloads the certificates
  • Creates the needed service PEM files for the vCenter certificate tool
  • Creates the required root/subordinate PEM files
  • Does NOT require PowerCLI
  • Automatically uses the hostname of the server you run the script on for all certificates
  • Works with offline CAs
  • Creates customized SQL vCenter and VUM database creation script
  • Creates SQL ODBC DSNs for vCenter and VUM (SQL 2008 R2, 2012, 2014)
  • Automatically downloads and installs SQL 2008 R2 client package
  • Provides download URL for SQL 2012/2014 client
  • Support Microsoft CAs that require manual certificate approval
  • Requires PowerShell 3.0 or higher

Configure Toolkit Variables

1. Login to your external PSC and download my Toolkit script from here. You can run it from anywhere, but I think this is the optimal place for the first run.

2. My script will automatically download OpenSSL for you. Since OpenSSL versions change frequently, I put the download name up front for this version of the script. If you run the script and it errors out, it will display a friendly failure message. Just go to the URL shown, update the download filename and Voila! Unlike my vSphere 5.5 script, I won’t be releasing new versions every time OpenSSL is updated.

2015-03-31_7-11-21

 

 

3. Open the script in your favorite PowerShell editor and find the certificate details section. Modify the company name, organization, etc. for your environment.

2015-03-29_17-05-19

 

 

 

4. Modify the CA names as needed for your environment. My script now supports a root CA plus two subordinates. If you don’t have one or more subordinates, just add a # in front of the appropriate line.

2015-03-29_9-08-07

 

 

5. If you are  using a Microsoft CA with the certificate web enrollment service enabled, then select whether you will be accessing the CA web site via HTTP or HTTPS. HTTPS is recommended, but sometimes there are certificate errors that don’t allow that to work.

2015-03-29_9-10-57

6. Next up you need to configure your Issuing CA information. This can be a little confusing, due to the way Microsoft labels the CA. The best way to find the proper name is login to your issuing CA, launch the Certificate Authority snap-in. This could be called anything, depending on how your CA was setup. Look for the name next to the green check mark. In the script prepend that name with the hostname of your CA.

2015-03-29_9-22-13

2015-03-29_9-18-57

7. For VUM 6.0 we need to use the vSphere 5.5 SSL template. So enter the name of your vSphere 5.5 SSL template here. If you followed my 5.5 guide, then it will be called VMware-SSL. Do NOT use your vSphere 6.0 template name here, as it will NOT work.

2015-04-02_10-40-57

8. Now you need to configure your VMware SSL template name. These certificates will be used for vCenter services and ESXi host certificates. The steps for vSphere 6.0 are NOT the same, so refer to my blog article here in Part 9 for the template instructions. This template names assumes you will follow that article. You can NOT use your vSphere 5.5 template.

2015-04-04_18-52-05

9. Next up, you need to define the Subordinate template name. VMware requires using a custom template and not the Microsoft default. If you follow my blog post here, then your template name will be called vSphere6.0VMCA. If you won’t be using the VMCA subordinate CA feature, just ignore this section.

2015-03-30_11-38-47

If you have a custom template and need to know the “Template Name”, just open your CA MMC, go to “Certificate Templates”, right click and select “Manage”. Open the properties of the template in question and look for the “Template name” NOT the “Template display name”.

2015-03-30_11-36-39

 

 

 

 

 

10. To download the proper certificate chain, my script must download the public certificates from each of the CAs that are in the chain. Depending on the age of your CA, you may need to increment up the “renewal” numbers to get the latest certificate. If you increment too high it will download garbage and my script will alert you to that fact. “0” is the default, but you may find you need 1 or more here.

2015-03-29_9-13-52

Configure Windows CA

11. Next up we need to make sure your Windows CA can issue subordinate certificates if you will be using the VMCA as a subordinate CA. Ignore this section if you won’t be making the VMCA subordinate to your Windows CA. Go into your issuing CA, launch the Certificate Authority tool and look in the “Certificate Templates” folder. You should see a “vSphere 6.0 VMCA” template listed after you complete Part 9 of my guide. 2015-03-31_14-26-08

12. If you do not see this listed then you haven’t read Part 9 (sorry I didn’t blog about this before, but it was a last minute lesson learned) and created the template. Go to that part now, create the new vSphere 6.0 templates, then come back here.

Download Root Certs

If all of your CAs are serviced by an online Microsoft CA and you have correctly configured the Toolkit script variables, and you have web services enabled on the CA, then the script will automatically download the public certificates for you. However, if you have an offline CA or they aren’t web enrollment enabled, you will need to download them manually. Or if you are using a non-MS CA, then you need to get them manually as well. Sometimes the MS CA web services won’t cooperate so manual downloads are needed as well.

13.  Open a blank MMC, then add the Certificates snap-in for the Computer account.

14. Navigate to the “Intermediate Certification Authorities” folder and open the Certificates folder. If you don’t see your CAs there, poke around in the other folders until you find them.

15. Find the certificate authorities for your environment. Right click on each one, and export as a base-64 encoded x.509 certificate. Save the root certificate as C:\Certs\root64.cer. Save the first subordinate certificate (if applicable) as C:\Certs\interm64.cer. If you have a second subordinate, save that certificate as C:\certs\interm264.cer.

2015-03-29_11-19-12

In case you are unsure of the base-64 certificate format, it will look like the following graphic if opened in a text editor.

2015-03-29_11-44-50

 Summary

If you are familiar with my Toolkit script for vSphere 5.5, then you will be right at home in the 6.0 version. I’ve cleaned up the configurable variables, added a few new ones, and added full VMCA support. We will use the Toolkit to configure the remaining SSL certificates, which include vCenter and ESXi. Next up is configuring the SSL template in Part 9.

vSphere 6.0 Install Pt. 7: Config SQL DBs

Now that we have the Windows PSC installed, it is time to prepare for installing vCenter. vCenter can support three database types: embedded vPostGres (supports up to 20 hosts and 2000 VMs), Microsoft SQL, and Oracle. SQL seems to be the most popular choice, so that’s what I’ll help you configure here. Now to be frank, nothing has really changed here in vSphere 6.0 for the SQL setup. But it does fully support SQL 2014, which is great. Note: VUM 6.0 does not seem to support SQL 2014. So check VMware docs to verify compatibility when you go to install. To find out if your particular SQL version is supported, you can check out the VMware Product Interoperability Matrixes. Be sure to select “Solution/Database interoperability” so you can view the supported Oracle and SQL databases. Double check VUM!

Do take note that VMware fully supports “legacy” SQL failover clusters for the vCenter database. This is distinctly different from AlwayOn Availability Groups, which are currently NOT supported. Nag your VMware TAM about AlwaysOn Availability Group support. I wrote an entire blog series about setting up a SQL 2012 failover cluster, which you can check out here. It’s nearly the same steps for SQL 2014.

Blog Series

vSphere 6.0 Install Pt. 1: Introduction
vSphere 6.0 Install Pt. 2: Platform Services Controller
vSphere 6.0 Install Pt. 3: Certificate Management
vSphere 6.0 Install Pt. 4: vCenter Upgrade Best Practices
vSphere 6.0 Install Pt. 5: ESXi Upgrade Best Practices
vSphere 6.0 Install Pt. 6: Install Windows PSC
vSphere 6.0 Install Pt. 7: Config SQL DBs
vSphere 6.0 Install Pt. 8: Toolkit Configuration
vSphere 6.0 Install Pt. 9: SSL Templates
vSphere 6.0 Install Pt. 10: Install VCSA PSC
vSphere 6.0 Install Pt. 11: VMCA as Subordinate
vSphere 6.0 Install Pt. 12: PSC Machine Certificate
vSphere 6.0 Install Pt. 13: Directory Services Certificate
vSphere 6.0 Install Pt. 14: Windows vCenter Install

Permalink to this series: vexpert.me/Derek60
Permalink to my Toolkit script: vexpert.me/toolkit60

Create DB Files

VMware unfortunately does not provide a tool to automatically create your SQL database for you. So it’s up to you to size and configure the SQL databases prior to installing vCenter. You must also configure the proper DSN, and install the appropriate SQL client. Since VMware left these tasks up to the customer to do, I’ve included them in my vCenter toolkit to help expedite your installation process.

My vCenter toolkit script was very popular for 5.5 users, so I’ve updated the script for 6.0. Some of the SSL work isn’t quite done, so I’ll be releasing future updates to complete the SSL setup. But the current version does support the SQL DB creation, so let’s get to work.

1. Go to this permalink (here) and download my PowerShell script. To create the SQL databases you can run the script from anywhere. But for simplicity I’d suggest running it on what will be your vCenter server. Run the script, and you should see a menu similar to the screenshot below. Menus may change a little between releases.2015-04-05_8-27-11

2. On the main menu select Option 1 to open the SQL Database menu. Select the option to create the vCenter and VUM SQL database file (Option 1). You will then be prompted for a series of responses, to properly size the database and log files for both vCenter and VUM. The screenshot below shows all of the prompts, and example configuration.

2015-03-24_13-06-52

3. After the configuration file is written, copy it over to your SQL server and open it in SQL Studio. Modify the paths to the files as needed, then run the script. You should not have an errors, and two databases should now appear on your SQL server.

2015-03-24_13-31-30

4. During my vCenter testing I found that even though the service account was DBO on the two databases, the vCenter installer complained. So for installation purposes, I gave the service account temp ‘sysadmin’ permissions at the SQL level, as shown below.

2015-03-24_13-47-16a

4. Back on the vCenter server run the Toolkit script again but this time we need to create the vCenter DSN. Select that option from the menu, option 2 in the version shown. Enter the required information, then download and install the SQL client as indicated.

2015-03-24_13-40-28

5.  Just to make sure the DSN will work, launch “odbcad32.exe”, click on System DSN, then find your vCenter DSN. Click on Configure, click Next through the whole wizard, then click on  Test Data Source. Verify success.

2015-03-24_13-51-45

6. If you are going to use VUM, then we need to repeat a similar process to create the DSN and test the connector. Using my Toolkit script, select option 3. Follow the prompts to create the DSN, then from the Windows start screen search for “data” and select the ODBC Data Sources (32-bit) option. Perform a DSN test and verify success. Again, verify with VMware which SQL version VUM 6.0 supports. VUM has not been updated in ages, and may NOT support SQL 2014.

Summary

We’ve now created both the vCenter and VUM databases in SQL, configured the ODBC connectors, and verified they work. The final step in getting vCenter up and running is actually installing vCenter using the databases we just created. But before we install vCenter, let’s configure my vCenter toolkit script and download our root CA public certificates, here in Part 8.

vSphere 6.0 Install Pt. 5: ESXi Upgrade Best Practices

In this installment of the vSphere 6.0 installation how-to series we cover upgrading ESXi hosts, VMs, and VMFS. You do need to understand ESXi/VM/VMFS upgrade best practices, recommended order, and gotchas. That’s what this post is for.

Blog Series

vSphere 6.0 Install Pt. 1: Introduction
vSphere 6.0 Install Pt. 2: Platform Services Controller
vSphere 6.0 Install Pt. 3: Certificate Management
vSphere 6.0 Install Pt. 4: vCenter Upgrade Best Practices
vSphere 6.0 Install Pt. 5: ESXi Upgrade Best Practices
vSphere 6.0 Install Pt. 6: Install Windows PSC
vSphere 6.0 Install Pt. 7: Config SQL DBs
vSphere 6.0 Install Pt. 8: Toolkit Configuration
vSphere 6.0 Install Pt. 9: SSL Templates
vSphere 6.0 Install Pt. 10: Install VCSA PSC
vSphere 6.0 Install Pt. 11: VMCA as Subordinate
vSphere 6.0 Install Pt. 12: PSC Machine Certificate
vSphere 6.0 Install Pt. 13: Directory Services Certificate
vSphere 6.0 Install Pt. 14: Windows vCenter Install

Permalink to this series: vexpert.me/Derek60
Permalink to my Toolkit script: vexpert.me/toolkit60

Upgrade Overview

First of all, planning is key. Even in a lab environment you want to settle on an upgrade strategy and understand the order. Order is huge!  If you are running the basic vSphere stack and no other products like SRM, vCAC, etc, the order looks like this:

1) vCenter
2) VUM
3) ESXi hosts
4) VMs
5) VMFS

But don’t just plow ahead full steam ahead and forget about things like vCenter plug-ins, VDI dependencies, backup software support, SRM, and the plethora of other VMware and third-party products. Once you get vCenter and VUM updated it is fully supported to do rolling ESXi host upgrades. Now you have to think about VM hardware versions, VM tools, and VDS configuration. For a great summary of the upgrade order if your use other VMware products check out this KB.

Bottom line: Think through and plan the ENTIRE upgrade before starting any part of it, including vCenter. Many times third party products like backup software can lag significantly in vSphere support. So you may be waiting a while before you can upgrade.

VIBs and Image Profiles

Understanding how VMware packages ESXi is important to better understand the upgrade path. Vendors like HP, Cisco, Dell, and others provide customized ESXi ISO media. VMware packages software (drivers, agents, etc.) as VIBs (vSphere Installation Bundle). It’s similar to a zip file or tarball. VIBs can be bundled into an ISO file (such as the ESXi installer), or as a zip depot file.

An image profile defines the VIBs which will be installed. A “standard” profile contains VMware tools and a “no-tools” profile has no VMware tools (mostly for autodeploy). You can use the image builder CLI to create a custom profile.

9-29-2013 2-45-06 PM

If you want to view the VIBs on your ESXi host use the following command:

esxcli software vib list

There are many third party custom ISOs, bundles, and online depots. VMware recommends that you use a vendor customized ISO for your hardware. Some vendors are extremely timely, while others lag or nearly non-existent. I know from personal experience the HP install ISOs are heavily customized, while the Cisco ones only have a handful of drivers. Nutanix, for example, goes through a thorough testing process and bakes the ESXi install into our Foundation product. So no need to deal with custom ISOs or VIBs, as Foundation will deploy everything needed in an automated fashion.

Upgrading vSphere Hosts

The big question is: Should I upgrade the host or do a fresh install? Unlike vCenter where VMware recommends to do a fresh install, if possible, they recommend upgrading ESXi hosts. You can leverage features like HA, DRS, storage vMotion, and host profiles to quickly roll through hosts. Fresh installs should be limited to a small number of hosts, maybe for test purposes.

Before you upgrade check the VMware Compatibility Guide. Just because your host works with 5.0 or 5.5, does NOT mean it will work with 6.0. For example, historically HP BladeSystem has needed newer firmware to address gotchas with new ESXi builds. Don’t just blow this step off and think you have a tier-1 vendor so all is good. Likely specific firmware versions will be required/approved. Also, with 6.0 VMware removed some drivers like RealTek NICs. So if you do a fresh install you may suddenly be missing your NICs on a whitebox server. Good news is that if you are using a Mac Mini, many models come with out of the box support in 6.0!

If you are Nutanix customer, you can do a one-click hypervisor upgrade once we have qualified vSphere 6.0. This means you don’t need to use VUM, as the Nutanix PRISM GUI fully automates the upgrade process for you. Keep an eye out for the Nutanix announcement of vSphere 6.0 support. Our stated SLA is 90 days from GA.

Release Notes

The vSphere 6.0 release notes are quite lengthy. A number of support calls can be avoided by getting a heads up of issues. That’s why planning is so important. Get a cup of coffee or Five Hour Energy and read every issue in the release notes. It can pay dividends! The vSphere 6.0 release notes are here.

ESXi Upgrade Methods

  • ESXi Installer – Boot from ISO, choose upgrade
  • vSphere Update Manager – Import ISO, create upgrade baseline, remediate
  • ESXCLI – Stage ZIP, execute ‘esxcli system profile update’
  • Scripted Upgrades – Update/customize upgrade script
  • Nutanix – One click upgrades

The most popular and automated method is using VUM. It will orchestrate host maintenance modes, respect DRS directives, and generally make it seamless. You can directly upgrade from ESXi 5.x to 6.0.

Upgrading Clusters

Rolling upgrades within clusters are supported and highly recommended. Do take note that vCenter 6.0 does not support ESX/ESXi 4.x hosts, so upgrade them to 5.x prior to upgrading vCenter. Be careful with VM hardware compatibility in such situations though. ESXi 6.0 has wide latitude in virtual hardware support, so there’s no critical rush to upgrade to v10 or later hardware. Be sure to leverage HA, DRS, vMotion and storage vMotion to enable minimal/zero downtime upgrade. If you are using Enterprise Plus, leverage host profiles. It minimizes configuration drift and enables stricter configuration control.

Upgrading ESXi Hosts

The boot disk is not re-partitioned during the upgrade process. However, the contents ARE overwritten. If there’s a VMFS datastore on the boot volume it will be preserved. Same for scratch. Absolute minimum is 1GB of space on your boot volume. Here’s a good KB on boot volume sizing. I personally use 5-6GB LUNs for boot-from-SAN configurations. The figure below shows the basic partition layout of an ESXi installation. This scheme has not changed for 6.0.

9-29-2013 3-42-30 PM

VM Upgrades

VMware has changed their nomenclature in how they refer to VM hardware compatibility. Previously they always called out the specific “hardware” version such as 4, 7, 9, etc. But that didn’t obviously relate to a specific release, and people got confused. Plus they thought on my gosh I’m on HW 4 and they are up 9, I’m way out of date…upgrade!

Now VMware calls out the “Compatibility” level and ties that to a release of ESXi. For example, if under the covers the VM is HW v7 it will show ESX 4.x and later in the web GUI. Do NOT feel pressure to always upgrade the compatibility level. Sometimes you need to, such as provisioning a monster VM that wasn’t supported on older versions of ESXi. And sometimes there are performance gains to be had when using new vHW versions. My advice is to upgrade the vHW as part of your overall upgrade plan. Do realize that some new VM features can’t be edited in the Windows C# client, but basic properties like RAM and vCPUs can be modified. Click on the graphic to expand and see the various upgrade paths.

2015-03-17_9-17-43

 

Upgrading tools and VM hardware is OPTIONAL, and VMware officially supports N-4 versions. VM hardware versions are NOT backwards compatible, though. You won’t be running HW version 11 VMs on anything but vSphere 6.0.

VMware tools are backward and forward compatible to a very large degree. Don’t freak out if your VM isn’t running the latest tools. VMware recommends you DO keep up (performance, security, compliance checking, etc.), but you have wide latitude. Backup software, HA, heartbeats and other functions rely on VMware tools so if they have problems, verify the tools version matches your host. VUM is excellent for verifying compliance. My recommendation is to keep your VMware tools up to date, specially after a big upgrade such as going to 6.0.

2015-03-17_9-19-41

 

For those of you that heard starting with vSphere 5.1 that upgrading VMware tools would no longer require a reboot, that’s not actually the case. The low-down is that VMware did make changes to VMware tools to leverage Windows hot-swap of some kernel modules. However, some modules like keyboard/mouse/USB still require reboots. VMware includes those non-hot-plug modules in each tools update. So the net result is still needing to reboot when doing VMtools updates. Perhaps in the future they will change that behavior, but that’s not in 5.1 through 6.0.

VMFS Upgrades

VMFS upgrades are simple, and completely non-disruptive. You can upgrade a VMFS datastore from VMFS-3 to VMFS-5 with running VMs. However, while this may sound perfect, keep reading as the reality is more complicated. The table below shows the differences between the two filesystem versions. Now that VMFS-5 has been around for a while, I hope you don’t have too many VMFS-3 datastores around.

9-29-2013 4-02-44 PM

Ok so you are thinking, why is an upgrade not ideal? The problem is that an upgraded volume does NOT look the same under the covers from a freshly formatted VMFS-5 volume. The table below shows the differences. The most impacting can be the block size. In vSphere 4.x and earlier you had a choice of block sizes that ranged from 1MB to 8MB. If your array supports VAAI extensions the VMFS volumes must have the same block size if you are doing operations such as copying VMs. Otherwise the disk operations revert back to legacy mode and will run slower.

9-29-2013 4-05-15 PM

The VMware recommendation is to create a fresh VMFS datastore then storage vMotion your VMs into the datastore. After the datastore is evacuated re-format or decommission it. If you aren’t licensed for storage vMotion, then during your vCenter upgrade don’t input a product key. This gives you 60 days of the ‘enhanced’ license features.

2015-03-17_9-23-22

VMFS will play less of a role in vSphere 6.0 and beyond with the advent of VVols. VVols does not use a filesystem, so there’s no VMFS to deal with. Once your storage array supports VVols and you migrate VMs to vVols you can forget about VMFS. I have no insider knowledge here, but I’d be surprised if VMware released any major new VMFS versions given the VVols future.

SSL Certificates

New to vSphere 6.0 are different SSL certificate options. They are:

  • VMware Certificate Authority mode – VMCA automatically provisions host certificates
  • Custom Certificate mode – Enabled you to use your own certificates
  • Thumbprint mode – Can be used to retain vSphere 5.5 certificates during upgrade

Which mode you use depends on your business requirements. VMCA mode is the easiest, as it automates ESXi certificate deployment. I would recommend this mode. You could use custom certificate mode and then use my vCenter 6.0 toolkit to replace the certificates, but I’d only recommend that if you can’t use the VMCA and need to use trusted certificates.

Smart Card Authentication

Also new to vSphere 6.0 is the ability to use smart card authentication to your ESXi host. They support US DoD CAC cards as well as traditional industry standard smart cards. See the vSphere 6.0 Security guide for additional details on how to configure your ESXi hosts to use smart cards. I will not be covering that in this series.

Summary

  • Understand the vSphere Upgrade Process
  • Understand how ESXi is packaged and distributed
  • Understand patches vs. updates vs. upgrades
  • Know the different upgrade methods
  • Stay current on VMware tools
  • Freshly format VMFS5 volumes; don’t upgrade from VMFS3
  • Consciously pick which certificate deployment model you will use
  • Investigate smart card authentication, if you have a business requirement for it

Now that we’ve gotten the upgrade and best practices out of the way, in the next installment we will start installing the vSphere 6.0 PSC. You can check out that installment here.

The New High Bar: Nutanix NPX Certification

NPX logoToday Nutanix is proud to announce their Nutanix Platform Expert (NPX) certification. You can read the official press release here. The goal of this certification is to become the most rigorous technical computing qualification in the IT industry. That’s saying a lot, given other live performance based certifications that people are going through today, such as Cisco CCAr and VMware VCDX. They are very rigorous and anyone getting through those live defense processes should be VERY proud of their accomplishments.

Offered at *no charge* this live-defense based certification aims to set the bar even higher, by testing a wider variety of knowledge. For example, you must have “X”-level knowledge of at least two hypervisors of your choice (vSphere, Hyper-V or KVM), “X”-level knowledge of the Nutanix platform, familiar with web-scale concepts, plus the world-class architect and soft consulting skills required for successful global enterprise deployments.

I was lucky enough to be involved in the creation of the NPX program, along with more than a dozen other Nutanix consulting architects, solutions/performance engineers, SEs, and other staff. The bar we set for the minimally qualified candidate is high, comprehensive, and will be a challenge ready for conquering by the brightest minds in the IT industry.

The NPX process consists of two parts: Developing a Nutanix-based enterprise-ready design consisting of a number of documents (see the handbook for more details but this includes a CV, references, emerging technology essay, current state review, migration plan, architecture guide, etc.), submitting that design for review, and then if minimal scoring is met, being invited to defend in front of a live panel. The actual defense will consist of three parts: solution design presentation (90 minutes), hands-on troubleshooting exercise (40 minutes), and quizzing of a 3-tier-to-web-scale migration and second hypervisor solution stack (60 minutes).

During this defense the following skills will be assessed:

Consultation skills

  • Discovery of business requirements
  • Identification of risks and risk elimination or remediation
  • Identification of assumptions and constraints and removal or accommodation in the solution design
  • Incorporation of Web-scale technologies and operational models
  • Evaluation of organizational/operational readiness
  • Migration and transition planning

Conceptual/Logical Design Elements

  • Scalability
  • Resiliency
  • Performance
  • Manageability and Control Plane Architecture
  • Data Protection and Recoverability
  • Compliance and Security
  • Virtual Machine Logical Design
  • Virtual Networking Design
  • Third-party Solution Integration

Physical Design Elements

  • Resource Sizing
  • Storage Infrastructure
  • Platform Selection
  • Networking Infrastructure
  • Virtual Machine Physical Design
  • Management Component Design
  • Datacenter Infrastructure (Environmental and Power)

I was very impressed with the PhD from Alpine Testing that guided us through the rubric creation process, and feel that the result is very fair, relevant, yet obtainable by the right candidate. While there are a set of recommended third-party certifications that the NPX suggests you have passed, there is not a hard requirement to have passed any other third-party certification exam. You must have passed the Nutanix NPP, though.

Click on the graphic below to expand it, and take a look at the recommended primary and secondary certifications. For example, if you wanted to defend on vSphere and Hyper-V, then you should have the skills of a MCSE-Private cloud and VCDX (DCV, DT or Cloud). Again, this is a self-assessment and there is not a hard requirement to have passed these certifications to apply for NPX. But be assured the screening process will weed out those falling short, so don’t think you can fudge it and get NPX certified. Be brutally honest in your self-assessment. 2015-03-13_8-35-27 The screening process for the NPX applications will be comprehensive, and only those meeting a minimum score will be asked to defend. If you don’t meet the documentation bar, or fail the live defense, there are program guidelines for resubmission rules that you can read further about in the NPX documentation. Bottom line, is if you are a Nutanix customer, partner, or work for Nutanix and want to achieve a world class architecture-level certification then download the handbook and read up on exactly what is involved to see if you qualify. If you don’t yet qualify, then get cracking on the requirements, such as “X”-level knowledge of dual hypervisors of your choice.

Personally, I would recommend you actually take and pass the recommended third-party certifications. For example, I found going through the VCDX program to be invaluable on many levels. But Nutanix realizes for various reasons sometimes people can’t sit for those exams (or find little value in multiple choice tests), and we didn’t want that to be a barrier but that in no way lowers the bar since our screening process is very rigorous. Our minimally qualified candidate standard is very high so don’t just throw a 50 page design together and think it can pass.

Other performance based “X” level certification enterprise documentation packages can take months to prepare and run in excess of 200 pages and the NPX certification will be no different. This certification is NOT about showing off your technical prowess, and throwing every possible solution into your design. You shouldn’t include every Nutanix platform in your design, nor should you throw the entire ecosystem of hypervisor products into it either. It’s all about meeting business requirements in an efficient, simple, and easy to manage methodology using a web-scale approach.

To get started on your NPX certification just go to the registration page here. By registering you can download the free NPX Design Review Preparation Guide and the NPX Program Application. You can also contact Mark Brunstad, the NPX Program manager, at npx@Nutanix.com.

If you are aspiring to be an NPX, be sure to check out Rene Van Den Bedem’s NPX Link-o-Rama.

Good luck!

vSphere 6.0 Install Pt. 4: vCenter Upgrade Best Practices

Upgrades can be scary times with any enterprise product. The more your critical infrastructure relies on a particular solution, or set of solutions, the more imperative it is you fully understand and test the new product. Prior vSphere releases has taught us that thorough testing cannot be skipped and you should not rush a new product into production. No product is bug free, and each environment is different.

Normally for my vSphere installation series I do not cover upgrades, or go through an upgrade process in the series. Why? Customer environments wildly vary and a simple lab upgrade will likely not look like or behave like your environment. That’s why its so critical for you to test in your environment. My upgrade would not look like your upgrade. The more complex your topology, such as multiple SSO services, the more critical testing becomes.

But, what I am doing in this post and the next installment is covering upgrade best practices to help you understand your road ahead and things to keep in mind. This post covers vCenter only, and the next installment covers VMs, VMFS, and ESXi hosts.

Blog Series

vSphere 6.0 Install Pt. 1: Introduction
vSphere 6.0 Install Pt. 2: Platform Services Controller
vSphere 6.0 Install Pt. 3: Certificate Management
vSphere 6.0 Install Pt. 4: vCenter Upgrade Best Practices
vSphere 6.0 Install Pt. 5: ESXi Upgrade Best Practices
vSphere 6.0 Install Pt. 6: Install Windows PSC
vSphere 6.0 Install Pt. 7: Config SQL DBs
vSphere 6.0 Install Pt. 8: Toolkit Configuration
vSphere 6.0 Install Pt. 9: SSL Templates
vSphere 6.0 Install Pt. 10: Install VCSA PSC
vSphere 6.0 Install Pt. 11: VMCA as Subordinate
vSphere 6.0 Install Pt. 12: PSC Machine Certificate
vSphere 6.0 Install Pt. 13: Directory Services Certificate
vSphere 6.0 Install Pt. 14: Windows vCenter Install

Permalink to this series: vexpert.me/Derek60
Permalink to my Toolkit script: vexpert.me/toolkit60

vSphere 6.0 Upgrade Overview

  • Plan your upgrade – Extremely important. KB on update sequence is here.
  • Read the full vSphere 6.0 release notes here
  • Five major steps: vCenter, VUM, ESXi, VMs, VMFS
  • Key VMware Sites to bookmark: Documentation Center, Compatibility Guide, Interop matrix
  • If you upgrade Windows with a service pack or other system changes and get locked out of SSO, read this KB to regain access
  • Great KB on vCenter 6.0 topologies is here

Prior to 5.1 life was simple. You had vCenter Server, vCenter Database server, and vSphere web client. The vCenter server is NOT stateless, meaning the database is not all inclusive. The local vCenter server has SSL certificates and the ADAM database. ADAM is not just for linked mode but holds data such as licenses, roles, and permissions. If you are using vSphere 5.1, then ‘tags’ are also stored locally on the vCenter server and thus not in the database.

Starting with vSphere 5.1 and continuing with 5.5 you now have more roles, such as SSO, and you could even have a distributed topology. This makes upgrades more complex, and requires additional planning. vSphere 6.0 changes that up by adding the Platform Services Controller (PSC), which consumes the SSO service and adds new functionality. ADAM is now gone, replaced by an internal LDAP service.

Upgrade Matrix

  • In-place upgrade supports vCenter 4.x, 5.0.x, 5.1.x, and 5.5
  • VMware does NOT support directly migrating an existing 5.x or earlier vCenter Server to a new machine during the upgrade process
  • vCenter Server 6.0 can manage ESX/ESXi 5.x and higher hosts.
  • Check out the vSphere Upgrade Center here

System Requirements

  • Embedded install – 2 vCPUs, 8GB RAM (tiny environment), 100GB disk Recommended. For 400 hosts or 4000 VMs: 8 vCPU, 24GB RAM, 200GB disk. See this link for more Windows sizing details.
  • vCenter OS Support: Only supports Windows Server 2008 SP2 and later (including WS2012 R2). See this KB for the full support matrix.

New Install vs. In Place Upgrade

VMware recommends a fresh install, but sometimes its not just possible. However, do check out the “Inventory Snapshot” Fling, which is a great (unsupported) tool to migrate hosts, VM, and permissions from one Windows vCenter instance to another. It does NOT appear to support tags and currently has some vDS issues. Tags are not stored in the SQL database, so if you use tags then be sure to find a way to migrate them. If you are in a regulated industry and have strict audit requirements you may be legally required to maintain the historical data in your vCenter database and unable to start fresh.

Very recently released is the VCS to VCVA Converter. What is it? This is an unsupported (officially) method to migrate from a Windows vCenter to the Linux vCenter appliance. It’s released under the technical preview license. It looks very promising, and I’ve seen a lot of buzz on Twitter about it. So check it out, if you want to migrate to the vCenter appliance. I think the vCenter appliance is now production ready at-scale, so this is an excellent time to migrate off Windows.

If you are starting with a fresh install do take a close look at the VCSA. It now supports the same number of VMs and hosts as the Windows version, and is simple to deploy. New to vSphere 6.0 is the ability to do linked mode between VCSA instances. This is due to the removal of ADAM as a Linked Mode dependency. So if you’ve always been a Windows vCenter shop, now is a good time to evaluate going down the VCSA road. It has a new guided install, and pre-check installer too, so VMware is really trying to make it a full replacement. There’s still no external SQL server support, due to the lack of a GA Microsoft ODBC connector. But the embedded database is very scalable, so that shouldn’t be a big factor.

Installation – Then and Now

vSphere 6.0 features a new install sequence with a bit more guidance than previous versions. Gone is the “Simple Install” option and instead a scenario driven installer is used. For example, one of the first screens you will see presents several PSC deployment options. It also features a hard check for 2 vCPUs and at least 8GB of RAM. The following screen then presents you with SSO configuration options, such as creating a new SSO domain or joining an existing one. This is great for upgrades as you can connect to an existing SSO instance.

New to vSphere 6.0 is the embedded vPostgres database, which replaces the prior SQL express option. Don’t worry, you can still specify an external database, such as SQL or Oracle. I also like the new DSN refresh button, so you don’t have to remember to create your DSN before launching the installer. Unlike prior “simple” installer options, this new wizard prompts you for directory paths such as the base vCenter directory and a separate directory for the vCenter/PSC data. Nice!

Before you embark on your vCenter 6.0 install, a MUST read is the VMware vCenter Server 6.0 Deployment guide. It’s in excess of 100 pages, and goes through a lot of upgrade scenarios, deployment topologies, etc. I know it’s long, but after all this is an enterprise product with new topology options. Read thoroughly!

Linked Mode

Linked mode adds additional complications to the upgrade process. As you may recall you can’t link vCenters of different versions. So you first need to unjoin all vCenters from the linked mode group. Once you upgrade two vCenters to 6.0, you can then re-establish Linked Mode and add other 6.0 vCenters as they come online. The biggest problems with Linked Mode include DNS and NTP failures. It’s critical name resolution works (forward AND reverse) and that the server clocks are all synchronized. All vCenter servers that are linked must also be a part of the same SSO authentication domain. New to vSphere 6.0 is the ability to do linked mode between the VCSA and a Windows based vCenter. You can also do linked mode between VCSAs as well!

vCenter Appliance

The VCSA has undergone major scalability increases in 6.0. In 5.1 it was only rated for 5 hosts and 50 VMs when using the embedded database. With 6.0 that is increased to parity with the Windows scalability limits. So that makes it a much more viable solution for enterprise customers. You can NOT migrate from the Windows vCenter to the VCSA, officially. But as previously mentioned, you can try out the VCS to VCVA fling here.

Update Manager

Contrary to some rumors, VUM has not gone away in vSphere 6.0. Apparently the VUM replacement was not quite ready for prime time, so VUM still exists in 6.0. You can upgrade VUM from 4.x, 5.0 and 5.1 versions. VUM is still Windows only, so if you do deploy the VCSA you will still need a Windows server to host VUM. The web client in 6.0 also has limited VUM functionality, so the C# is still needed to do things like pushing patches and configuring baselines. During the upgrade you can’t change the installation or download paths. Scheduled tasks remain, but patch baselines are removed.

Summary

You need to carefully plan your upgrades, and understand all of the moving components. Generally you would start by upgrading vCenter, then your ESXi hosts. But you may have other products that depend on vCenter which need upgrading first. Thoroughly map out all of your dependencies, read the VMware documentation, then plan in an organized fashion how you are going to upgrade.

Ready, set, go! Download vSphere 6.0 NOW

After some teasing at VMworld 2014, and a few more sessions at PEX 2015, vSphere 6.0 is finally available for download! If you are in a big hurry to download, here are some useful links. vSphere 6.0 release notes can be found here. As always, TEST TEST TEST before putting this into production.

Also remember that I’m working on a long vSphere 6.0 install/configure series of blog posts, along the lines of what I did for vSphere 5.5. Now that vSphere 6.0 is GA, expect to see new posts on a more frequent basis. I’m also working on a new version of my vCenter SSL toolkit, which will debut sometime in the coming month.

Primary Download Links:

ESXi 6.0 and related ISOs
HP ESXi 6.0 Installer ISO
vCenter 6.0 for Windows and Appliance
PowerCLI 6.0
vSphere 6.0 Replication
Data Protection 6.0
VSAN 6.0

Documentation:

vSphere 6.0 Documentation (Full ZIP)
vSphere 6.0 PowerCLI Documentation

Related products also updated today:

VMware vRealize Automation 6.2.1
Site Recovery Manager 6.0
vRealize Infrastructure Nagivator 5.8.4
vCenter Operations Manager 5.8.5 in Virtual Appliance
vRealize Orchestration Appliance 6.0.1.0

VMware Horizon 6.1 (Release notes)
VMware Integrated OpenStack

Have fun!

Top Blogger Voting in Full Swing!

2015-03-03_7-55-50Each year Eric Siebert over at vSphere-land.com spends an enormous amount of time setting up the top blogger voting. This recognizes the very hard work that the top bloggers do, and the support they give to the community. Recognition is always fun, but shouldn’t be the primary purpose to blog.

So this year you, again, have your chance to vote for the top bloggers in various categories. When voting, think about what is important to you in a blogger. More ‘newsy’, or hard-core how-articles, or are they more opinion based? How frequently do they post? Do you keep referring back to them, or do they provide scripts/tools that make your job easier? Do they repeat content from other sites/sources or is it original?

Those are some of the criteria I think about when putting in my vote. As a quick year in review for my blog I’ve been consistently updating my vCenter 5.5 SSL toolkit, did a long SQL 2014 Always-On How-To series, live blogged from VMworld 2014 and PEX 2015, plus some Nutanix content.

Weigh in your mind which content has been most valuable to you, then vote based on that information. Last year I made it to #12, which I think had a lot to do with the popular vCenter SSL toolkit. This year I’ll be covering vSphere 6.0 and providing an updated SSL Toolkit.

Voting only runs for two weeks, so take 5 minutes out of your day right now and vote here. Don’t delay or you might forget. Also, remember you can only vote once. So don’t try and game the system, as Eric keeps a close watch out for duplicate or fake votes.

© 2017 - Sitemap