WilliamLam.com

Search Results for: KMS

Easily try out vSAN 6.6 Encryption feature using KMIP Docker Container

by // 4 Comments

One of biggest feature introduced in the upcoming vSAN 6.6 release is the native vSAN Data-at-Rest Encryption capability. My good friend Duncan Epping even posted a video recently demo'ing the feature and showing how easy it is to enable with just a couple of clicks. Just like VM Encryption which was introduced in vSphere 6.5, vSAN Encryption also requires a Key Management Interoperability Protocol (KMIP) Server which needs to be associated with your vCenter Server.

The really nice thing about this is that because both VM Encryption and vSAN Encryption uses the exact same encryption library, as long as you have a supported KMS (which you can find over on the VMware KMS HCL here, more are being certified and added), you can actually leverage the same KMS for both types of encryption across different vSphere Clusters with different requirements. For the ultra paranoid, you could even "double" encrypt by running Encrypted VMs on top of a vSAN Encrypted Datastore 😉

As with any feature that relies on 3rd party tools, it can take some time to acquire evaluational licenses. For those of you who would like to try out either vSAN or VM Encryption from a functional standpoint, you can quickly get started in under a few minutes by using the KMIP Docker Container that I had built last year. This is a great way to familiarize yourself with the workflow or even try out some of the new vSphere and vSAN APIs if you plan to automate the KMIP configuration or even deployment of encrypted VMs. Another great use case for this is doing live demos and all you need is just a couple of Nested ESXi VMs and a Docker Container Host like Photon OS or even just your laptop for example. Below are the instructions on how to get started.

Disclaimer: It is also very important to note that you should NOT be using this for any production workloads or any VMs that you care about. For actual production deployments of VM Encryption or vSAN Encryption, you should be leveraging a production grade KMIP Server as PyKMIP stores the encryption keys in memory and will be lost upon a restart. This will also be true even for the virtual appliance, so this is really for quick evaluational purposes, do NOT run anything important that you care about due to the risks mentioned earlier.

[Read more...]

KMIP Server Docker Container for evaluating VM Encryption in vSphere 6.5

by // 8 Comments

There are a number of vSphere Security enhancements that were introduced in vSphere 6.5 including the much anticipated VM Encryption feature. To be able to use the new VM Encryption feature, you will need to first setup a Key Management Interoperability Protocol (KMIP) Server if you do not already have one and associate it with your vCenter Server. There are plenty of 3rd party vendors who provide KMIP solutions that interoperate with the new VM Encryption feature, but it usually can take some time to get access to product evaluations.

During the vSphere Beta, VMware had provided a sample KMIP Server Virtual Appliance based on PyKMIP, which allowed customers to quickly try out the new VM Encryption feature. Many of you have expressed interest in getting access to this appliance for quick evaluational purposes and the team is currently working on providing an updated version of the appliance for customers to access. In the mean time, for those who can not wait for the appliance or would like an alternative way of quickly standing up a sample KMIP Server, I have created a tiny (163 MB) Docker Container which can be easily spun up to provide the KMIP services. I haver published the Docker Container on Docker Hub at lamw/vmwkmip. The beauty of the Docker Container is you do not need to deploy another VM and for resource constrained lab environments or quick demo purposes, you could even run it directly on the vCenter Server Appliance (VCSA) as shown here, obviously not recommended for production use.

The Docker Container bundles the exact same version of PyKMIP that will be included in the virtual appliance, this is just another consumption mechanism. It is also very important to note that you should NOT be using this for any production workloads or any VMs that you care about. For actual production deployments of VM Encryption, you should be leveraging a production grade KMIP Server as PyKMIP stores the encryption keys in memory and will be lost upon a restart. This will also be true even for the virtual appliance, so this is really for quick evaluational purposes.

Note: The version of PyKMIP is a modified version and VMware plans to re-contribute their changes back to the PyKMIP open-source project so others can also benefit.

Below are the instructions on using the KMIP Server Docker Container and how to configure it with your vCenter Server. I will assume you have worked with Docker before, if you have not, please have a look at Docker online resources before continue further or wait for the virtual appliance to be posted.

[Read more...]

New vSphere 6.5 APIs worth checking out

by // 11 Comments

With the upcoming new release of vSphere, there are quite a few new vSphere APIs to look forward to and consume from an Automation standpoint. Similiar to what I had done in the past with previous major releases of vSphere, here is a list of of some of the new vSphere APIs (SOAP based) that I think are worth checking out whether they are new features vSphere 6.5 will introduced or new enhancements to existing functionality which will benefit our vSphere Administrators and/or Developers.

If you would like to see the complete list of new vSphere 6.5 (SOAP based) APIs, be sure to check out the vSphere 6.5 API Reference Guide which will include a "What's New" section on all the new Managed Objects, Methods, Properties, etc. when vSphere 6.5 is generally available.

CryptoManager / CryptoManagerKmip - VM Encryption is one of the new features in vSphere 6.5 and with these APIs, you will be able to manage and configure the VM Encryption settings including associating with KMIP server. For enabling/disabling VM Encryption at the VM and disk level, have a look at VirtualMachine->crypto and VirtualMachine->deviceChange->backing property.

  • GenerateClientCsr
  • GenerateKey
  • GenerateSelfSignedClientCert
  • ListKmipServers
  • MarkDefault
  • RegisterKmipServer
  • RemoveKmipServer
  • RetrieveClientCert
  • RetrieveClientCsr
  • RetrieveKmipServerCert
  • RetrieveKmipServersStatus_Task
  • RetrieveSelfSignedClientCert
  • UpdateKmipServer
  • UpdateKmsSignedCsrClientCert
  • UpdateSelfSignedClientCert
  • UploadClientCert
  • UploadKmipServerCert

FailoverClusterConfigurator - To setup the new vCenter Server High Availability (VCHA) feature which is only available in the VCSA, use these APIs which include deploying and configuring the passive and witness nodes.

  • configureVcha_Task
  • createPassiveNode_Task
  • createWitnessNode_Task
  • deployVcha_Task
  • destroyVcha_Task
  • getVchaConfig
  • prepareVcha_Task

FailoverClusterManager -  Have a look at these APIs to initiate a failover or view the current VCHA configuration.

  • getClusterMode
  • GetVchaClusterHealth
  • initiateFailover_Task
  • setClusterMode_Task

HostVStorageObjectManager - An API only feature in vSphere 6.5 which will allow you to create and manage Virtual Disks as a "First Class" citizen. This particular API is for managing First Class Disks (FCD) when talking directly to an ESXi host.

  • HostCloneVStorageObject_Task
  • HostCreateDisk_Task
  • HostDeleteVStorageObject_Task
  • HostExtendDisk_Task
  • HostInflateDisk_Task
  • HostListVStorageObject
  • HostReconcileDatastoreInventory_Task
  • HostRegisterDisk
  • HostRelocateVStorageObject_Task
  • HostRenameVStorageObject
  • HostRetrieveVStorageObject
  • HostRetrieveVStorageObjectState
  • HostScheduleReconcileDatastoreInventory

VcenterVStorageObjectManager - An API only feature in vSphere 6.5 which will allow you to create and manage Virtual Disks as a "First Class" citizen. This particular API is for managing First Class Disks (FCD) when talking directly to a vCenter Server.

  • AttachTagToVStorageObject
  • CloneVStorageObject_Task
  • CreateDisk_Task
  • DeleteVStorageObject_Task
  • DetachTagFromVStorageObject
  • ExtendDisk_Task
  • InflateDisk_Task
  • ListTagsAttachedToVStorageObject
  • ListVStorageObject
  • ListVStorageObjectsAttachedToTag
  • ReconcileDatastoreInventory_Task
  • RegisterDisk
  • RelocateVStorageObject_Task
  • RenameVStorageObject
  • RetrieveVStorageObject
  • RetrieveVStorageObjectState
  • ScheduleReconcileDatastoreInventory

DatastoreNamespaceManager->ConvertNamespacePathToUuidPath() - From a troubleshooting standpoint, do you ever wish you can easily translate the human readable VM path (e.g. /vmfs/volumes/vsanDatastore/myVM/myVM.vmx to the VSAN/VVOL equivalent identifier which is UUID based? Well, this is now possible with this new API!

AuthorizationManager->FetchUserPrivilegeOnEntities() - This is a pretty neat API as it allows you to easily query an existing user to see the current privileges has been assigned. This could could come in handy to quickly audit a particular privilege for a user.

HostImageConfigManager->installDate() - Have a look at this blog post Super easy way of getting ESXi installation date in vSphere 6.5 for more details.

HostImageConfigManager->fetchSoftwarePackages() - This is another nice API to easily retrieve all the VIBs installed on an ESXi host. This is the equilvenet of running "esxcli software vib list" and you will now have all the additional metadata info that was historically only available via ESXCLI. Here is an example PowerCLI function called Get-ESXInstalledVib which exercises this new API.

HostStorageSystem->UpdateVmfsUnmapPriority() - Have a look at the blog post Configure new automatic Space Reclamation (VMFS UNMAP) using vSphere 6.5 APIs for more details.

VirtualMachine->{AttachDisk_Task(),DetachDisk_Task()} - This API allows you to attach and detach First Class Disks that you may have created earlier using the FCD APIs as shown above.

VirtualMachine->config->bootOptions->EfiSecureBootEnabled - To take advantage of the new VM Secure Boot feature in vSphere 6.5, you simply just toggle this property. Here are two PowerCLI functions called Get-SecureBoot/Set-SecureBoot which exercises this new API.

In addition, vSphere 6.5 also introduces a new REST-based API that covers several areas such as basic VM Lifecycle Management (simliar to that of the existing vSphere SOAP-based API), vSphere Content Library, vSphere Tagging and Virtual Appliance Management for the vCenter Server Appliance (VCSA). You can interact with these new APIs by using any of the vSphere Automation SDKs (.Net, Java, Python, Ruby or Perl) or even just simply using cURL from the command-line. It is really that easy!

Lastly, to make exploring these new REST-based APIs easier for both administrators as well as developers, there is now a new API Explorer that is included specifically with the VCSA in vSphere 6.5. You can think of it like a vSphere MOB 2.0 but way easier to use. Some of you may recognize the interface as shown in the screenshot below which uses the Swagger UI. This interface allows you to quickly browse through all the APIs, no need to refer to the documentation as the APIs are self-documented and made available in this interface. Best of all, you can even try out the APIs by simply logging into your vCenter Server and then selecting an API and clicking on the "Try it out now" button!

To access the API Explorer, you simply open a web browser and enter the following URL: https://[VC-HOSTNAME-OR-IP]/apiexplorer/

vsphere-6-5-apis-apiexplorer
There will also be native PowerCLI cmdlets (Get-CisService) to these new REST API and below is a quick example of retrieving the version (GET /system/version) of the VCSA:

$vcsaVersion = Get-CisService -Name  'com.vmware.appliance.system.version'
$vcsaVersion.get()

vsphere-6-5-apis-powercli