In part 3, we finished the setup of our appliance. But if we really want a polished installation we still have a “little” thing to do: replace the self-signed certificates by certificates signed by our internal Certificate Authority.
Let’s be honest: replacing certificates for the vSphere platform has always been a mess (to say the least) ! But thanks to the great work of Michael Webster and Derek Seaman, things got better! First, they produced clear procedures to replace the certificates. Then Derek went a step further and wrote a powershell script that automates the first part of the process (certificate generation).
In parallel, VMware greatly improved its own documentation (… maybe with the support of the two guys above 🙂 ), and even has a tool which can update certificates on some VMware products… But not the vCSA!
Let’s sum it up: we are still waiting for the perfect tool, but in the meantime, there are clear (but lenghty 🙂 ) procedures to update the certificates. And so… Let’s do it!
In Part 2, we left our vCSA in a running state, technically ready for managing ESXi servers in production. In a small environment or a test lab, we could stop there. But for an appliance that is going to manage a production virtual infrastructure, we could improve our setup a little bit.
In this article, we are going to configure an SMTP server and implement monitoring for the appliance’s database disk.
A recent research study has unveiled a security risk in Transparent Page Sharing (TPS), as acknowledged by VMware in kb2080735.
The researchers were able to discover that from a virtual machine A, an AES encryption key could be retrieved from machine B. While the steps to achieve this seem difficult to reproduce, the risk is real. In fact, the risk is so real that VMware decided to disable TPS for all future versions of ESXi, as well as all current versions for the next update release.
For example, version 5.5 is currently in update 2: TPS will be disabled with update 3. More exactly, inter-vm page sharing will be disabled per default. Pages can still be deduplicated within a virtual machine world, for a much smaller benefit of course.
Until these new releases hit the market, patches are available for those who wish to disable TPS in versions 5.5 and 5.1. And a patch is coming for version 5.0.
In the previous article we deployed the vCenter Server Appliance and made a basic setup. In this article, we will go a step further and cover the licensing and authentication for your new vCSA
I’m a huge fan of the vCSA (vCenter Server Appliance). Since version 5.5, I consider it suitable for production and will perfectly replace a manually installed Windows server. In fact, the Windows-version even looks like a dinosaur now :).
In this article, we are going to deploy a new virtual appliance on a standalone ESXi host and make the initial configuration.