Trusted SSL certificates in OSX 10.15+ and iOS 13+

I deployed a new vSphere VCSA for my homelab in December 2019 (last month). By default these come with a self-signed SSL certificate that’s valid for 10 years. Of course I typically replace these with a signed certificate but it’s not always the first thing that I do.

What I found this time however is that on my Mac neither Chrome or Brave would allow me to reach the web UI. Only Firefox would. I expect security warnings for self-signed (and hence untrusted) certificates. On the former two browsers though the message suggests that the certificate is invalid in some other way:

What’s actually happening is that as of MacOS 10.15 and iOS 13 SSL certificates have to meet certain criteria to be deemed to be valid. These are documented here: https://support.apple.com/en-us/HT210176.

In the case of the vCenter VCSA, the duration (10 years) is over 825 days. Hence no dice. It would be better if Chrome was clearer about that.


Documenting vCenter Privileges with PowerCLI

A customer that I’m working with at present asked this week if the minimum privileges required for vRA to access a vSphere Endpoint could be documented. As someone who isn’t a fan of unnecessary wheel re-invention, my initial response was to direct them to the relevant VMware documentation (vRA 7.3 vSphere Agent Requirements).

Then they explained why that wouldn’t quite cover their requirement. I won’t explain exactly why, but they wanted a matrix that showed exactly what privileges each of the vRealize products (and associated management packs) needed in vCenter to provide to their security team. Somewhere in the dark and dusty reaches of my mind, a lightbulb flicked on…


Wait, I’ve done this before!

Like a number of other bloggers in my industry, I started this as a place to record some of things that I was doing in the hope that they might be useful to someone else, or even useful for myself in the future. Continue Reading


Root password expired on vCenter VCSA 6.5

I thought I’d update my homelab’s primary vCenter to the latest and greatest (6.5 update 1d), when I encountered an issue with the root password. The update showed up ok in the appliance’s VAMI interface and I selected to install it but an error quickly showed up:

VCSA 6.5 is not ready to be updated

Not ready, huh? When I clicked on the “Show Details” button, I saw a message informing me that the root password had expired or expiring soon:

VCSA 6.5 update is blocked by expired root password

Well ok, I’ll go and reset it and turn off the expiry I thought. (That process is covered in the vCenter documentation.) But noooo, permission denied! The password couldn’t be set and the expiry settings could not be changed. Continue Reading


vCenter’s Number – Is It Up?

(This is all based on information that’s in the public domain at the time of writing and is all my own opinion. I may very well be wrong!)

ESXi first saw the light of day as version 3.5 in 2007 / 2008. Rumours were rife after ESXi 4.0 was released in 2009 that the clock was now ticking on ESX “Classic”. With the release of 4.1 in 2010 VMware finally confirmed the rumours and, from 5.0 onwards it’s been ESXi only.

You know this already of course if you’ve been working with vSphere for any length of time. The reason that I’m bringing it up though is because I think it’s a clue as to what’s going to happen to vCenter in the future.

The vCenter Server Appliance (vCSA) first appeared as a technology preview called “vCenter 2.5 on Linux”. It became vCSA as of vSphere 5. Subsequent releases (5.1 and 5.5) have seen many changes and it’s becoming more compelling with each version. Could it be only a matter of time before VMware announce that vCSA will be the only version of vCenter available? I believe it is VMware’s intention, yes.

Consider VMware’s recently published convergence plan for vCD. It states that the functionality offered in vCD will gradually be separated and merged into either vSphere / vCenter or into vCAC. The timetable for this change isn’t clear yet but given that vCD is Linux based, it might be more logical (or simpler) to integrate some of its functions into vCSA rather than into vCenter for Windows.

Look at many of VMware’s other products and a good number are linux appliance based. Of course there are exceptions, with perhaps some of the biggest currently being vCAC and Horizon View, but they’re both acquired products.

Increasingly we’re also seeing a move away from a Windows vSphere Client to a Web Client. Some functionality in vCenter 5.5 is only accessible via the Web Client. Of course the Windows Client might be kept on as a means to administer the free version of ESXi – time will tell.

None of these things are concrete proof of intent but they, and other things, make my spider senses tingle. It might not happen with vSphere.next as there could be some challenges to overcome still. There would have to be complete support and integration with VMware’s other products as one example. As another example, some customers might want vCSA to support MSSQL before they’d consider it ready for production.

In short though, I think that vCenter’s days on Windows are numbered. What that number is though, I couldn’t say.


Configuring vCenter Orchestrator

Article by Michael Poore (@mpoore)

vCenter Orchestrator (vCO) is a no charge extra for vCenter Server owners. In fact the binaries are installed alongside vCenter Server itself.

This post covers what you need to configure vCO and start to use it. It’s based on the GA release of vCenter 5.0. (Of course I should point out that other orchestration products are available.) Continue Reading


Trying vCenter CapacityIQ

Previously I have posted about trying out vCenter Operations. Now the trial, assuming that you went down that route, is actually for vCenter Operations Advanced version. This includes vCenter CapacityIQ. It would be remiss of me not to talk about that too so here goes…

I’m going to assume that CapacityIQ has already been downloaded. After all, you signed up for the vCenter Operations trial didn’t you?

As with the Operations VM, CapacityIQ is delivered in an OVF package and installing it is as easy as:

1) – Open your vSphere Client and select “Deploy OVF Template…” from the file menu

2) – Locate and select the OVF file for CapcityIQ in the OVF deployment wizard

3) – Accept the EULA. Assign a name. Select a location, cluster and resource pool. Pick a datastore and disk format (thin or thick provisioned). Map the VM to a network (see screenshot below). Click Finish.

It shouldn’t take long to deploy. Typically a minute or so.

Before powering on, take a look at what has been provisioned. The CapacityIQ VM is configured as a 32-bit Redhat (RHEL) OS with 2 vCPUs and 3600Mb of RAM. Now you’d hope that with a level of memory that specific that the VM has been “tuned” or optimised in some way. We’ll look into that in a later post I think.

Interestingly, the VM hardware version is only 4. Now although CapacityIQ (version 1.5+) works with vCenter Server 4.0 onwards, it will work when that vCenter manages ESX hosts that are version 3.0.2 and above. The assumption therefore must be that it is possible that the CapacityIQ VM might run on these hosts and so the VM hardware version cannot be 7.

The remainder of the configuration of CapacityIQ is performed initially at the VM’s console screen and then through a web browser. So go ahead and power it on.

Give it a few seconds to boot. You’ll notice if you watch the console that interface eth0 fails to come up. There’s no DHCP available and IP configuration hasn’t taken place yet.

Eventually, you are prompted to set a root password. After that you will need to set a password for the user ciqadmin too.

Once these are done, the appliance will continue to boot. Once this is complete, you will be faced with a similar screen to the one used to configure the vCenter Operations appliance.

Use the cursor keys to select “Configure Network”. You’ll need then to decide (if you haven’t already) whether or not to use DHCP and if not you’ll need to provide some IP configuration details.

** Do be careful entering the information below. I messed up one time and even after correcting the information I couldn’t get HTTPS access to the appliance to work. It could have been a coincidence but if you find this happenning, just redeploy the appliance and start again 🙂 **

Once finished, the configuration is applied. If it’s successful then the console will prompt you to go to to https://<IP address> to manage and register CapacityIQ. That’s the next step.

Once you’ve acknowledged the inevitable SSL certificate warning, you will reach a login page. Login here using the ciqadmin account whose password you set earlier.

There are a few configuration tabs that you can browse through and setup.

We’re just going to focus at the moment on connecting CapacityIQ to vCenter. As you can see in the middle pane, we haven’t registered yet. Click the “Register” button to go ahead and do that.

You’ll need to enter the FQDN or IP address of your vCenter server and some credentials with which to authenticate to it. I should point out that the reason why the “vCenter CapacityIQ Address” section shows the domain name as being unavailable is probably because I haven’t created a DNS entry for the appliance in AD. If you’re serious about using CapacityIQ you might want to do that, this is just a demo though.

Successful registration will do two things. Firstly, you’ll see some changes to the “Setup” tab in the web GUI.

Secondly, the next time you connect to vCenter using the vSphere Client, you’ll see a new icon on the “Home” page. If you click on that (and acknowledge the SSL certificate warning) you’ll be into CapacityIQ.

As with vCenter Operations, CapacityIQ needs some time to gather data before it will display anything meaningful. In the spirit of Blue Peter though, here’s one I made earlier…


So, that’s all for now. Have a poke round the interface yourself and find out what you can see and do.


Trying vCenter Operations

As I mentioned a little while ago, vCenter Operations is a new management product that VMware are bringing out. Well, actually they’ve now brought it out as of Monday. I thought I’d check it out…


To sign up for a trial and download vCenter Operations, you simply need to head over to VMware’s “Support and Downloads” page and expand the “Infra & Ops Management” section.

Follow the download link, register for a free trial, accept the Ts & Cs and download the software.

vCenter Operations comes as virtual appliance (you download an OVA file) that’s about 600MB+ in size. Depending on the size of your internet connection, you may want to do something else right now.


I don’t want to teach people how to suck eggs but if you’ve never install a virtual appliance before, it’s pretty much just a case of clicking “Deploy OVF Template” from the file menu in your vSphere Client and following the instructions. It’s very easy and takes only a couple of minutes.

As soon as it’s complete, find the appliance in vCenter and power it on. It won’t have any network configuration setup yet though.



Now it’s running, we need to configure the appliance. This is done in two stages. The first part involves getting the appliance connected to the network. The second part is establishing a connection to a vCenter server and licensing the appliance.

Network Configuration

In this example I’m using a static address. Before you start makes sure you know which address, subnet mask, gateway and DNS servers that you want to use. Also the appliance needs a hostname.

First, open the VM console.

As you can see, the appliance doesn’t have an IP address yet. Switch mouse and keyboard focus into the VM and use the cursor keys to highlight “Configure Network” and press Enter.

Follow the prompts, entering “y”, “n” or whatever configuration data it asks for. You can see above how I have configured mine. Eventually you’ll be prompted to confirm the settings. If you do, the network gets configured and you get dropped back to the welcome screen again.

Connecting to vCenter and Licensing

The next stage is accomplished using a web browser and the vSphere Client. First, point a web browser at the IP address you gave the appliance (and move past the SSL certificate warning).

Once you login with the default user name and password (admin / admin) you’ll be prompted to change the password. Next you’ll get prompted to add a vCenter Server.

You may want to set up a dedicated account which the appliance uses to talk with vCenter as it’s bad practice to use your own account! You’ll see a certificate warning as the appliance connects to the vCenter server. This can probably be ignored in most cases.

If the action is successful, you’ll then get prompted to head over to the vSphere Client and apply a license.

There are some other settings that you can make through the web browser (SMTP and SSL settings for instance) but I’ll leave you to play with them.

In the vSphere Client, head to the “Licensing” page and click on the “Manage vSphere Licenses” link.

In the wizard, enter your vCenter Ops trial license and complete the wizard, assigning the new license to the vCenter Operations appliance in the process. (Note that when assigning the key, the vCenter Operations appliance can be found on the “Solutions” tab.)

That’s it, job done.

What Next?

That’s the basic configuration of the appliance done. Now it will interrogate vCenter for lots of information. To have a look at what it has collected and determined, head back to the home screen of your vSphere Client. At the bottom you will see a new icon under “Solutions and Applications”.

Click it and go!

As Steve Bryen (@virtualportal) so eloquently put it this morning, “Plenty of pretty colours”. In my case, I’m not sure if it’s a good thing or not yet. Either way, go and try it out for yourself.


Released: vCenter 2.5 Update 6

vCenter 2.5 Update 6 was released on Friday. Whilst I’m not working with any 3.5 / 2.5 environments at the moment this is good news because Windows Server 2008 R2 guest customisations have been added. Also added is support for Firefox 3.x using vCenter Web Access. The full release notes are here.

I’m going to stick my neck out a bit and suggest that this may be the final update to vCenter 2.5 before it reaches the end of General Support in May.


ESX 3.5 U5

I mentioned ESX 3.5 Update 5 only yesterday in my post about VMtools on Windows 2008 R2. Little did I know that 16 hours later I’d be writing about it again to say that it had been released!

The update can be downloaded from VMware’s website as usual. Shamelessly copied from the release notes, here’s what you can expect to have changed:

Enablement of Intel Xeon Processor 3400 Series – Support for the Intel Xeon processor 3400 series has been added. Support includes Enhanced VMotion capabilities. For additional information on previous processor families supported by Enhanced VMotion, see Enhanced VMotion Compatibility (EVC) processor support (KB 1003212).

Driver Update for Broadcom bnx2 Network Controller – The driver for bnx2 controllers has been upgraded to version 1.6.9. This driver supports bootcode upgrade on bnx2 chipsets and requires bmapilnx and lnxfwnx2 tools upgrade from Broadcom. This driver also adds support for Network Controller – Sideband Interface (NC-SI) for SOL (serial over LAN) applicable to Broadcom NetXtreme 5709 and 5716 chipsets.

Driver Update for LSI SCSI and SAS Controllers – The driver for LSI SCSI and SAS controllers is updated to version 2.06.74. This version of the driver is required to provide a better support for shared SAS environments.

Newly Supported Guest Operating Systems – Support for the following guest operating systems has been added specifically for this release:

For more complete information about supported guests included in this release, see the VMware Compatibility Guide: http://www.vmware.com/resources/compatibility/search.php?deviceCategory=software.

  • Windows 7 Enterprise (32-bit and 64-bit)
  • Windows 7 Ultimate (32-bit and 64-bit)
  • Windows 7 Professional (32-bit and 64-bit)
  • Windows 7 Home Premium (32-bit and 64-bit)
  • Windows 2008 R2 Standard Edition (64-bit)
  • Windows 2008 R2 Enterprise Edition (64-bit)
  • Windows 2008 R2 Datacenter Edition (64-bit)
  • Windows 2008 R2 Web Server (64-bit)
  • Ubuntu Desktop 9.04 (32-bit and 64-bit)
  • Ubuntu Server 9.04 (32-bit and 64-bit)

Naturally you’ll need to upgrade vCenter to Update 5 to gain some of these benefits. The release notes for that mention only one significant enhancement:

Support for High Consolidation in VMware HA Clusters – VirtualCenter 2.5 Update 5 includes significant performance and scalability improvements to VMware HA. Use VirtualCenter 2.5 Update 5 for environments with more than 35 virtual machines per host in an HA cluster.
For information on the ESX Server host settings required for this scalability improvement, see ESX Server host settings required for environments with up to 80 virtual machines per host in an HA Cluster (KB 1012002).

I think that there is a good chance that Update 5 may be the last major update that the 3.5 line of products receives. Or at least it will be for some time. I’ll have some upgrades to do as a result of this release but I’m pushing for upgrades to vSphere like crazy. You know it makes sense.


Setting up Sysprep for vCenter 2.5

Several of my recent clients (my current one included) have both avoided, failed or just not used Virtual Machine (VM) templates. Depending on who you ask the answer to the question “Why Not?” seems to vary between:

  • “I didn’t know that you could do that”
  • “We couldn’t make it work”
  • “It was too complicated to setup”
  • “We haven’t had the time yet”
  • “All of our new VMs are different”

After some convincing I have persuaded my current client to let me configure sysprep and a couple of templates for them. I’ve done this a few times before but never really documented it. Admitedly a lot of this is already documented in the Basic Admin Guide for vCenter but this post saves downloading a PDF file.

Continue Reading