vCenter Mobile Access (vCMA) and custom SSL certificates

Posted on March 18, 2011 by brian.wuchner

If you haven’t heard of the vCMA Fling, you should stop reading this article and check out http://labs.vmware.com/flings. It is by far my favorite application available.

I like to use valid certificates on all VMware products. I’ve replaced certificates used by vCenter, Update Manager, View and individual ESX/ESXi hosts. Today I started using the newest version of vCMA (vCenter Mobile Access) that has built in SSL support — but uses a generic certificate. I decided to find out how much effort would be required to replace this cert with a valid certificate issued from a certificate authority.

I found the following article that helped a lot. You’ll need everything on page 2 and 3 of the document: http://www.informit.com/articles/article.aspx?p=407886&seqNum=2

The first step was to find the keytool required. A simple “find /|grep keytool” showed me right where the command was, so I changed to that directory:

cd /usr/lib/vmware/mobile/java/jre1.6.0_11/bin

Once in the proper directory, I decided to create a new key file (using the steps in the above article)

./keytool -genkey -alias mobile-vmware -keyalg RSA -keysize 2048 -dname "CN=vcma.domain.test,OU=Organization Name,O=Parent Organization,L=City,ST=State,C=US,emailAddress=vmware-admin@domain.test" -keypass mypass -keystore /etc/mobile/ssl/mobile-vmware.jks -storepass mypass

Easy enough. Now we need to create a certificate request

./keytool -certreq -v -alias mobile-vmware -file /etc/mobile/ssl/csr-mobile-vmware.pem -keypass mypass -storepass mypass -keystore /etc/mobile/ssl/mobile-vmware.jks

The command returns the following information if successful
Certification request stored in file
Submit this to your CA

Take the contents of the generated file and submit them to your certificate authority. Once the file is returned, copy it to /etc/mobile/ssl (I used WinSCP for this task). Another file you’ll need to transfer at this time is the CA certificate (Verisign/internal/etc).

Once you have the two files copied over to the vCMA appliance, you’ll want to prepare your keystore to accept the certificate by importing the CA’s certificate. You can do that with this command:

./keytool -import -v -noprompt -trustcacerts -alias rootcacert -file /etc/mobile/ssl/rootca-certnew.cer -keystore /etc/mobile/ssl/mobile-vmware.jks -storepass mypass

The following results should be returned from that command:
Certificate was added to keystore
[Storing /etc/mobile/ssl/mobile-vmware.jks]

Now we are ready to import our actual certificate:

./keytool -import -v -alias mobile-vmware -file /etc/mobile/ssl/mobile-vmware-certnew.cer -keystore /etc/mobile/ssl/mobile-vmware.jks -keypass mypass -storepass mypass

The following results should be returned from that command:
Certificate reply was installed in keystore
[Storing /etc/mobile/ssl/mobile-vmware.jks]

Almost at the end now…

We need a text editor, so I went the easy way and installed one I know how to use. You can do the same with “yum install nano”.

nano /usr/lib/vmware/mobile/tomcat/apache-tomcat-6.0.28/conf/server.xml

Look through the code for a line that starts 

<Connector port="443" protocol="HTTP/1.1"

  In that section you’ll want to change the keystore file to “/etc/mobile/ssl/mobile-vmware.jks” and the keystorepass to “mypass”.

Once the code is modified, save the file and exit nano. Now type the following:

service mobile restart

This restarts the vCMA application to read in the certificate changes we made. Now when you access vCMA you should check the certificate — it should be the valid one you created.

Posted in Virtualization | 6 Comments

Get ActiveSync Users

Posted on March 3, 2011 by Steve Kremer

When you have almost 30,000 mailboxes, managing ActiveSync can become a nightmare.  The nice thing about ActiveSync is that is just works.  There is not too much configuration to get it setup, but if you do not plan ahead, you can find yourself in the same predicament as us and have 1500 people connecting through some sort of mobile device without any sort of security policy.  This is a huge security risk, and to combat it we are slowy implementing security policies by agency. So the first step in my process was to get a list of all users that have connected in the last 30 days.

So this way takes a long time if you have lots of mailboxes. For example, this takes over 55 minutes to complete in our environment. But if you do not have a lot of mailboxes, then this method should work fine for you. This report will create a CSV, and list the users name, and type of device.

Get-Mailbox -ResultSize:Unlimited | ForEach {Get-ActiveSyncDeviceStatistics -Mailbox:$_.Identity -ErrorAction SilentlyContinue}| Where{$_.LastSuccessSync -gt '01/01/11'} | Sort-Object -Property DeviceType,Identity | Select-Object @{name="EmailAddress";expression={$_.Identity.ToString().Split("\")[0]}},DeviceType | Export-Csv -Path:"c:\MobileDevices.csv"

One of the bad things about the above script is it will more than likely return some dupilcates. So to combat that, I added a where statement just so I can get the devices that have synced in the last 30 days.

get-mailbox -ResultSize unlimited -Filter {EmailAddresses -like "*@email.com" } | ForEach {Get-ActiveSyncDeviceStatistics -Mailbox:$_.Identity  -ErrorAction SilentlyContinue}| where {$_.lastsuccesssync -gt '02/01/2011'} | Sort-Object -Property DeviceType,Identity | Select-Object @{name="EmailAddress";expression={$_.Identity.ToString().Split("\")[0]}},DeviceType

Ok, now here is a quick way of doing the same thing but by using a filter. I recommend always using a filter to get your results. In this example we are filtering on EmailAddresses and only listing those people that have synced a device in the last 30 days. I spent a few hours trying to figure out how to best do this, and this is the best I could come up with. Please leave a comment if you know of a better way.

get-mailbox -ResultSize unlimited -Filter {EmailAddresses -like "*@email.com" } | ForEach {Get-ActiveSyncDeviceStatistics -Mailbox:$_.Identity  -ErrorAction SilentlyContinue}| where {$_.lastsuccesssync -gt '02/01/2011'} | Sort-Object -Property DeviceType,Identity | Select-Object @{name="EmailAddress";expression={$_.Identity.ToString().Split("\")[0]}},DeviceType | Export-Csv -Path:"c:\MobileDevices_email.com.csv"
Posted in Messaging, Scripting | 1 Comment

Guest bloggers

Posted on February 17, 2011 by brian.wuchner

Good evening, I have been speaking with co-workers about this blog and a few expressed interest in blogging about their day-to-day systems administration duties. In the near future you may see some posts from Steve Kremer. Steve is a co-worker of mine who deals with Active Directory, Citrix and Enterprise Messaging. Steve brings years of experience and a wide array of knowledge.

Posted in Messaging | Leave a comment

vCheck (daily report) version 5.31

Posted on February 4, 2011 by brian.wuchner

As many of you know, I have created a vCheck feature request list (http://bit.ly/dGrNjh) using comments from the Virtu-Al.net site. I’ve been working through them as time permits.

In a post earlier in the week, I provided a solution to make ‘vCheck as a vSphere Client “Solutions and Application”‘. This post attempted to resolve feature request items #16 and #17. If you are interested, that post is available here: http://enterpriseadmins.org/blog/?p=258. It is not really a change to vCheck, but some steps that need to happen to make vCheck appear in vCenter.

Today, I’m am posting more updates to vCheck. This updated version includes feature requests #2, #11 and #51.

# Version 5.31- bwuch: Bug fix for LockdownMode
# Version 5.30- bwuch: Add check for VMtools installer connected
# Version 5.29- bwuch: Add check for VM capacity forecasting
# Version 5.28- bwuch: Change to Get-HTMLTable function for possible performance improvements

I’m sure update 5.28 was suggested in the Virtu-Al.net comments, but for some reason I couldn’t find it on the feature request list.

Update 5.29 isn’t perfect and I wanted to let everyone know. There are comments in the code, but I wanted to add them to this post for reference. Instead of looping through all of the virtual machines and adding up the amount of space used, I simply subtract the data store free space from the capacity and assume that is how much is being used. We also make the assumption that no more than 85% of a datastores capacity will be used (to reserve room for thin-provisioned growth, snapshots, changed block tracking and log files). These assumptions make the code run pretty fast, but I’ve seen some oddities in my test environment. (Like -41 virtual machines remaining in a data center I’m sure has enough free space for 1 or 2 more VMs 🙂 ) Here is what I’ve added to the comments of the script for reference:

# The disk forecast will be per datacenter instead of per cluster since
# Get-Datastore -Entity only supports VirtualMachine, VMHost, and Datacenter objects.
# To improve performance in code, we are going to make the following assumptions
#   Assumption 1.) Disk capacity - Free Space = space used by VMs
#   Assumption 2.) used space / count of VMs = Avg Space used per VM
#   Assumption 3.) we will reserve 15% of capacity for overhead

If anyone else has a better solution (fast and accurate) please let me know.

Here is version 5.31 for those interested: Download vCheck5.31.ps1.txt

Posted in Scripting, Virtualization | 20 Comments

vCheck as a vSphere Client “Solution and Application”

Posted on February 1, 2011 by brian.wuchner

I’ve always stored my vCheck report output file in “C:\ProgramData\VMware\VMware VirtualCenter\docRoot\vCheck”. I use the file name “index.html” for the output file name, which makes it the default document name for that folder. I’ve always thought this was a really cool place to put the report, because I can simply type my vCenter server name with a “/vCheck” and see the latest report [for example, http://vcenter.domain.local/vCheck]. It automatically rewrites the URL to https just like when you go to the normal vcenter.domain.local URL.

The problem is, what I really wanted all along was for it to open up in vCenter. (It is also feature request #16 and #17 on the vCheck feature request list) I looked over the instructions at http://read.virtualizeplanet.com/?p=352 and made a sample plugin. I told it to open https://vcenter.domain.local/vCheck and then placed the XML file into my local “C:\Program Files\VMware\Infrastructure\Virtual Infrastructure Client\Plugins” just for testing. Re-launching my vCenter client gave me the new tab as expected. So far, so good. When clicking my new tab it gave me an error. 

Web Browser Unable to download vCheck from vcenter.domain.local.  Unable to open this Internet site.  The requested site is either unavailable or cannot be found. Please try again later.

I double checked my plugin XML file and everything was in order. A little more digging showed that the current ‘moref’, ‘serverGuid’, ‘sessionId’ and other query strings were being passed to my document. It appears that Apache couldn’t process those query strings, so I decided to look somewhere else. A little bit of Googling found a nice write up by EMC vSpecialist @clintonskitson. The write up is avaialble here: https://community.emc.com/message/522461 I created a copy of the index.jsp from “C:\Program Files\VMware\Infrastructure\tomcat\webapps\ROOT” and named it “vCheckRedirect.jsp”. I removed nearly all of the code and made the page do a very basic META REFRESH redirect to my existing report.

I then updated my Plugin XML to use https://vcenter.domain.local:8443/vCheckRedirect.jsp. The tab now opens a Java page, which does a simple redirect, which opens my vCheck in a tab.

Thats pretty cool, but still not what I really wanted. I now have to be in the data center inventory view to see my tab. I wanted it on the home page under ‘Solutions and Applications.’ You know, where things like Capicity IQ and vCenter Update Manager appear.

The plugin XML file had an extension parent of “InventoryView.Datacenter”. A little more digging and I found the solution. The extension parent I really wanted was “HomeView.Applications”. If you want to find more really cool places you could put this, check out the VMware document showing all of your options. It can be found here: http://www.vmware.com/support/developer/vc-sdk/vcplugin/vSphere_Plugin_40_Technote.pdf

The following articles and dcouments really helped along the way:

http://read.virtualizeplanet.com/?p=352
https://community.emc.com/message/522461
http://www.vmware.com/support/developer/vc-sdk/vcplugin/vSphere_Plugin_40_Technote.pdf

In case anyone wants to try these steps out, I’ve created a zip file that contains some Instructions and the two files needed — the plugin XML and the JSP redirect page. You can get the zip file here: vCheckPlugin.

If you test it out, please post a comment below and let me know if it worked. Thanks!

Posted in Scripting, Virtualization | 3 Comments