Tag Archives: VMworld

vSphere 6 – Certificate Management Intro

I like VMware and their core products like vCenter, ESXi, etc.  Personally, one thing I really admire is the general quality of these products, how reliable they are, how well they work, and how VMware works to address pain points of them to make them extremely usable.  They just work.

However, certificate management has been a big pain point of the core vSphere product line.  There’s just no way around it.  And certificates are important.  You want to ensure the systems you’re connecting to when you manage them are those systems.  For many customers I’ve worked with, because of the pain of certificate management within vSphere, the fact that some customers are too small and don’t have an on premise Certificate Authority, and to ensure the product continues to work, they often don’t replace the default self-signed certificates generated by vSphere.

That’s obviously less than ideal.  The good news is certificate management has been completely revamped in vSphere 6.  It’s far easier to replace certificates if you like, and you have some flexibility as to how you go about this.

Three Models of Certificate Management

Now, you have several choices for managing vSphere certificates. This post will outline them.  Later, I’ll show you how you can implement each model.  Much of this information comes from a VMworld session I attended called “Certificate Management for Mere Mortals.”  If you have access to the session video, I would highly encourage viewing it!

Before we get into the models, be aware that certificates can basically fall under one of two categories – certificates that facilitate client connections from users and admins, and certificates that allow different product components to interact.  Also, vCenter also has built in Certificate Authority functionality within it.  That’s a bit obvious since you already had self-signed certificates, but this functionality has been expanded.  For example, you can allow vCenter to act as a subordinate authority of your enterprise PKI, too!

Effectively, this means you have some questions up front you want to answer:

  1. Are you cool with vCenter acting as a certificate authority at all?  The biggest reason to use vCenter is it is easier to manage certificates this way, but your security guidelines may not allow it.
  2. Are you cool with vCenter being a root certificate authority should you be cool with it generating certificates?  If not, you could make it a subordinate CA.
  3. For each certificate, which certificate authority should generate them?  Maybe your security requirement that the internal PKI must be used is only for certificates viewable on client connections as an example.

From these questions, typically a few models emerge for certificate management.  You effectively have four models that emerge, which is a combination of your vCenter acting as a certificate authority or not, and which certificates it will generate.

Model 1: Let vCenter do it all!

This model is pretty straight forward.  vCenter will act as a certificate authority for your vSphere environment, and it will generate all the certificates for all the things!  This can be attractive for several reasons.

  1. It’s by far the easiest to implement.  It will generate all your certificates for you pretty much, and install them.
  2. It’ll definitely work.  No worries about generating the wrong certificate.
  3. If you don’t have an internal CA, you’re covered!  vCenter is now your PKI for vSphere.  Sweet!  You can even export vCenter’s root CA certificate, and import it into your clients using Active Directory Group Policy, or other technologies to get client machines to automatically trust these certificates!  Note that it is unsupported for vCenter to generate certificates for anything other than vSphere components.

Model 2: Let vCenter do it all as a subordinate CA to your enternal PKI

Very similar model to the above.  The only exception is instead of vCenter being the root CA, you make vCenter become a subordinate CA for your enterprise PKI.  This allows your vCenter server to more easily generate certificates that are trusted automatically by client machines.  Yet it also ensures that certificates are still easily generated and installed properly.

However, it is a bit more involved than the first model, since you must create a certificate request (CSR) in vCenter to submit to your enterprise PKI, and then install the issued certificate within vCenter manually.

Model 3: Make your enterprise PKI issue all the certificates

Arguably the most secure if your enteprise PKI is secured, this model is pretty self-explanatory.  You don’t make use of any of the certificate functionality within vCenter.  Instead, you must manually generate all certificate requests for all vCenter components, ESXi servers, etc., submit them to your enterprise PKI, and install all the resulting certificates for each yourself.

While this could be the most secure way to go about certificate management, it is by far the most laborious solution to implement, and it is the solution that is most likely to be problematic.  You have to ensure your PKI is configured to issue the correct certificate type and properties, you have to install the right certificates on the right components, etc.  It’s all pretty much on you to get everything right!

Model 4: Mix and match!  (SAY WHAT?!?!?)

When I first heard this being discussed in the session, my immediate reaction by my security inner conscious was, “This sounds like a REALLY bad idea!!!”

But as I listened, it actually makes quite a bit of sense when done properly.  You can mix and match which certificates are and are not generated by the PKI components within vCenter.  However, the model that makes sense if you go hybrid (a hybrid solution doesn’t make sense for everyone!) would be to allow vCenter to manage the certificate generation for all certificates that facilitate vSphere component communication, but use either Model 1, 2, or 3 for all other certificates that facilitate client connections.  Should this meet your security requirement, it meets the best of both worlds – certificates issued by your internal PKI that your clients automatically trust and thereby (potentially) more secure, but ease of management and better reliability for all the certificates that clients don’t see for internal vSphere components.

Which should you go with?

I hate using the universal consultant answer, but I have to.  It depends.  If you don’t have an internal PKI, go with Model 1.

If you have an internal PKI just because you had to for something else, and you want easy trusting of vSphere connections by your clients, go with model 1 and import vCenter’s root CA into your client machines, OR go with Model 2.  Which one in this case?  If you don’t consider yourself really good at PKI management, or if you don’t need many machines to be able to connect to vSphere components, probably Model 1.  The more clients that need to connect, the more it might lean you towards Model 2.

Do you have security requirements that prevent you from using vCenter’s PKI capabilities altogether?  You have no choice, go with Model 3.

I would generally try though for people who think they need to go with Model 3 to look at Model 4’s hybrid approach.  Unless you absolutely have to go with Model 3, go Model 4.

Hope this helps!

VMworld Day 1 – Recap

So much for live blogging VMworld.  I need to find something to post to WordPress from my ipad, as the web editor doesn’t work when the web bandwidth isn’t good…  Actually, the web editor isn’t good on iOS, period.  Oh, well.

Monday was more labs, Solutions Exchange, and sessions.  The general session, VMware stated it’s goal is to make a single logical cloud that could span public and private clouds, where you could run all apps, both enterprise apps we have had for years, and the new “cloud native apps” of today and increasingly in tomorrow.

So most of the 23,000 attendees were greeted with a well produced but a bit weird video that looked like something cooked up by somebody smoking a substance still illegal in most states watching X-Men, as this guy…

cloudprofxWas teaching the young mutant…err…cloud native apps and enterprise apps to hone their powers in security, performance, flexibility, and more.

We learned that we would now be able to vMotion applications between vCloud Air and your private VMware cloud potentially… Cool!

We learned that SRM would now be offered as a cloud offering in conjunction with vCloud Air as well.  Also, very cool!

They also announced vSphere Integrated Containers, and discussed Photon, which is a VMware optimized linux container technology that will interoperate with other container technologies, such as Docker.  It’s good to see VMware embrace a technology that is a bit of a counter to their bread and butter – VMs.  Resisting change is often futile.

Also, an EVO SDDC Manager was announced, which will help automate the management of all components of the Software Defined Data Center, including network virtualization and virtualized storage within VSAN, in a single pane of glass.

Upgrades to VSAN have also been announced, and one of the biggest improvements will be the ability to stretch a VSAN across datacenters, effectively making a stretched storage cluster with synchronous replication.  Considering how much solutions like VPLEX cost to do the same thing, this could potentially be a much lower cost option for organizations looking for this type of DR protection.

I’ll have more on specific sessions later, but I wanted to get this out in the meantime.


VMworld Day 0 – Update

Sorry about the late post from yesterday, but I was too exhausted from disembarking from the cruise, getting to VMworld, blah blah blah.

Sunday was a good day to get some quick sessions in, and do a lot of labs.  There’s not enough here to do a lot of posts, so here’s a quick summary of Sunday for me.

  • VMware certifications – Expect VCIX exams for Data Center Virtualization to be available January and February. Design will be first, followed shortly after with Administration.
  • Dell FX line of servers are an interesting piece of hardware.  I’ll do a future blog post about them, but they present an interesting solution for a few scenarios.
  • I played around quite a bit with VSAN in the labs, particularly around policy based management scenarios.  I’m sure that will be another blog post coming soon.

Much more from Day 1 coming…

VMworld – What I’m looking forward to

Almost every year, I go to VMworld to learn about all things new and coming down the pike, learn about products related to virtualization, and to network with colleagues.

This year is no different.  I’m a VMworld alumni, having attended in 2009, 2011, 2012, and 2014.  VMworld is a great time to catch up on everything and with everyone in the community.

My wife travels with me usually when I go.  If you have someone travelling with you, but isn’t attending the conference, I highly recommend checking out Spousetivities.  Put together by Crystal Lowe, these are activities created for people to attend while people they are travelling with attend the conference.  Crystal does a fantastic job coming up with things to do, and it’s a great way to have fun and meet new people.

This year, we were able to also find an Alaskan cruise leaving from San Francisco and arrives back in San Francisco on the morning when VMworld technically starts.  Really looking forward to that!

Back to VMworld, the things I always look forward to are the hands on labs, the Solutions Exchange, and sessions.  If you’re not familiar with VMworld, the hands on labs allow you to bring your own device or use their setup terminals (usually what I do because I’m not wanting to bring my laptop to carry around all day, and I find using an iPad frustrating for labs), and get hands on experience with new VMware and other partners’ products and features.  It’s great!

Solutions Exchange is basically a vendor expo where you can learn about various vendors and their solutions that are related to virtualization.  I don’t know how many times I’ve discovered new products or solutions that solved problems for customers here.

And the sessions… SO MANY AWESOME SESSIONS!  I can’t fit them all in!  Here are a few sessions I’m looking forward to.

SDDC6683-SPO – Getting Ready for the Next Wave of IT Convergence with Cisco UCS – SyCom does a lot of work with Cisco including UCS, so I need to keep up to speed with what’s new with that line of products.

STO5605 – What’s New in Site Recovery Manager – I’ve done many Site Recovery Manager engagements.  It’s normally easy to find what new features are in the next version, but what I like about these sessions is they often give you interesting perspectives on how to use these features properly, or in a creative manner.

STO6556-GD – Stretched Clusters with Lee Dilworth – I’ve recently deployed a stretched vSphere cluster in version 5.5, so I take personal interest in this topic.  It’s good to hear how others are doing it, and pick up on any tips.

STO5822 – Putting Virtual Volumes to Work – Storage Best Practices for vSphere 6 and Beyond – I think vVols are a big new feature in vSphere 6.  But I also know that they won’t always be the best solution for all customers and/or for all workloads.  I love sessions like this because, while I think I already have a good grasp about the topic, I always learn some new things to think about.

ELW-SDC-1630 – Cloud Native Apps Workshop – If you think all workloads are basically the same, have basically the same thresholds for performance, etc., you’re wrong.  I came from working with the storage I/O hog that was Exchange 2003, where you needed pretty low storage latency.  But cloud native apps generally can accept very high latency.  This is just one example of how cloud native apps can differ radically from the workloads you typically see, and I want to know more.

SDDC4595 – Ask the Expert Industry Titans – A mainstay tradition for sessions.  It’s Chad Sakac and Vaughn Stewart, plus others, answering any questions that are brought to the floor.  It’s going to be a blast.

SDDC6642 – The Bleeding Edge: A Face-melting Technical Smorgasbord of Private, Hybrid and PaaS – It’s Chad Sakac talking about cool new stuff.  Plus, face-melting is in the freakin’ session title!  Do I really need to say more?

INF4529 – VMware Certificate Management for Mere Mortals – Let’s face it, certificate management in vSphere hasn’t exactly been completely easy.  Since there’s new tools to manage them, I wanted to get caught up to speed.

NET4976 – vSphere Distributed Switch 6.0 – Technical Deep Dive – Always a great session if it’s Jason Nash and Chris Wahl.

What sessions are you looking forward to?