jump to navigation

VMware vMA authentication methods November 28, 2012

Posted by vbry21 in VCAP5-DCA, VMware Training.
Tags: , ,
add a comment

As part of the preparation for the VCAP5-DCA exam and also as part of teaching the VMware vSphere Optimize and Scale course I’ve been looking at managing an ESXi host and vCenter through VMware’s vMA (vSphere Management Assistant).

The command structure can become quite tedious.

For example to list network cards without using an authentication method would be as follows.

vicfg-nics –server esxi01a.qavdc.com –username root –password P@ssw0rd -l

However the VMA does support vMA Authentication.

The vMA authentication interface enables users and applications to authenticate with the target servers by using vi-fastpass or Active Directory (AD). While adding a server as a target, the administrator can determine whether the target must use vi-fastpass or AD authentication. For vi- fastpass authentication, the credentials that a user has on the vCenter Server system or ESXi host are stored in a local credential store. For AD authentication, the user is authenticated with an AD server.

When you add an ESXi host as a fastpass target server, vi-fastpass creates two users with obfuscated passwords on the target server and stores the password information on vMA:

vi-admin with administrator privileges

vi-user with read-only privileges

The creation of vi-admin and vi-user does not apply for AD authentication targets. When you add a system as an AD target, vMA does not store information about the credentials. To use the AD authentication, the administrator must configure vMA for AD.

Configure vMA for Active Directory authentication so that ESXi hosts and vCenter Server systems added to Active Directory can be added to vMA. Joining the vMA to Active Directory prevents you from having to store the passwords in the vMA credential store. This approach is a more secure way of adding targets to vMA.

Ensure that the DNS server configured for vMA is the same as the DNS server of the domain. You can change the DNS server by using the vMA Console to the Web UI.

Ensure that the domain is accessible from vMA. Ensure that you can ping the ESXi and vCenter Server systems that you want to add to vMA. Ensure also that pinging resolves the IP address to the target servers domain.

To add vMA to a domain:

From the vMA console, run the following command:

sudo domainjoin-cli join <domain_name> <domain_admin_user>

When prompted, provide the Active Directory administrator’s password.

Restart vMA.

For further information read, VMware’s vMA product documentation.

Connection Options in the vMA (VMware Management Assistant May 23, 2012

Posted by vbry21 in VMware blogs.
Tags: ,
add a comment

<conn_options> What????

When using the vMA (VMware Management Assistant), in all the examples there’s a bit that says for example vicfg-vswitch <conn_options>, but what are these connection options, well they’re listed below

–cacertsfile                                        Specifies the CA certificate file

–config                                                 Path to a configuration file

–credstore                                         Name of credential store file

–encoding                                          Specifies the encoding to use

–passthroughauth                          Use Microsoft Windows Security SSPI

–passthroughauthpackage         Specify Domain-Level authentication protocol to be used

–password                                         Log in password

–portnumber                                   Uses specified port to connect

–protocol                                           Uses specified protocol to connect

–savesessionfile                              Saves the session to the specified file

–server                                               The ESXi or vCenter host

–sessionfile                                       Uses the specified file to load a saved session

–url                                                      Connect to vSphere Web Services SDK URL

–username                                        User name to log in to system

–vihost                                               Name of ESXi host to run the command against

Phew quite a few connection options, generally you will probably use the following.

vicfg-vswitch –server vc01.qavdc.com –username administrator –password abcd1234 –vihost esxi01.qavdc.com –B both vSwitch0

The above connects to vc01 and sets CDP to both on esxi01 host to both for vSwitch0