Tuesday, 11 June 2019

Moving all standalone hosts into a cluster with PowerShell

The issue I hit was cause by trying to run a tool to disable TLS 1.0 and 1.1 across a number of deployments I'm working on (details on this can be found here)...

The TLS tool can target either a cluster to work through disabling SSL and TLS 1.0 and 1.1, or it can target a single host.  The customer I have been working with has many hundreds of hosts, across a number of sites... so on each vCenter, they have 50+ hosts ready to add to a cluster for consumption, depending on where the resource is required.  As such, to try and use the TLS tool to disable everything except TLS 1.2 would have been running a script 50 + times, having to specify the administrator@vsphere.local password each time.  Very time consuming

The easy solution as I saw it, was to add these hosts to a temporary cluster, run the script against the cluster level, then remove them...  Here's how I did it:

From PowerCLI, after connecting to the vCenter in question (connect-viserver vcenter.domain.local):

$clusterless  = get-vmhost | ?{ $_.Parent.Name -eq "host" }

This ran through all hosts registered against the vCenter, and found those with a parent of  'host' - i.e.  not a cluster member.

From this, you can use the 'Move-VMHost' command to move  all of these hosts into a temporary cluster.  I named mine 'tmp':

 This will move all of these hosts into your cluster (I had by this point restarted all of these hosts hence them not responding):

For the reverse, you can run the same command but replace "host" with the cluster name:
 N.B., I should have probably changed the variable name from $clusterless...!

After which, you can move these back to the root datacentre level by re-running the 'Move-VMHost' command:

Disabling TLS 1.0 and 1.1 on vCenter and ESXi

I have been working with a customer who's needed to disable TLS 1.0 and 1.1 across all of their estate; I was focusing on vCenter, ESXi and NSX.

This is covered in the official documentation is all covered  https://docs.vmware.com/en/VMware-vSphere/6.5/com.vmware.vsphere.security.doc/GUID-82028A21-8AB5-4E2E-90B8-A01D1FAD77B1.html

The process that I followed was vCenter --> ESXi Hosts -->  NSX Manager.

To start with, the TLS Reconfigurator tool is downloadable from here

Choose the version of vCenter you have (.rpm for vCSA and .msi for Windows):

For me, I am using the VCSA and I think most deployments use this now - so the following instructions cover the VCSA...

To begin, copy the rpm file to the VCSA.  Use something like WinSCP and FileZilla.  Note, you may need to enable the bash shell for root to allow this:

Copy it somewhere sensible like /tmp.  Once you've done this, install the tool by running rpm -Uvh /tmp/VMware-vSphereTlsReconfigurator-**********.x86_64.rpm.  This will install the tool into /usr/lib/vmware-vSphereTlsReconfigurator.  CD to this.

There are two sub folders here; we will start in VcTlsReconfigurator...

To disable both TLS 1.0 and 1.1 against the vCenter, first take a snapshot, then run the following command:

reconfigureVc update -p TLSv1.2

This will run through all of the components of vCenter, report what the version of TLS currently is, and will report after the script has run, what the new version of TLS is after the execution has completed.  Please note, this will stop the vCenter services:



Done - this should take no more than 5 minutes.  Onto the ESXi hosts; run cd ../EsxiTlsReconfigurator.

 Assuming you want to disable both TLS 1.0 and 1.1, there are two options you can run here...  Against a cluster and against an individual host:
  • reconfigureEsx vCenterCluster -c {clustername} -u administrator@vsphere.local -p TLSv1.2
  • reconfigureEsx vCenterHost -h {hostname.fqdn} -u administrator@vsphere.local -p TLSv1.2
It is so much easier to run this against a cluster than an individual host; you will need to specify the administrator@vsphere.local password each time, so it will be time consuming to do against an individual host...  However, it's worth knowing the option is available.  

Initially, this will not make any changes; in order to apply the changes, you need to restart each host to set the TLS settings:

After which, all of the ESXi hosts will be patched.  On the vCenter, you can remove the .rpm file from /tmp and reset the root user's shell back to the Appliance shell by running chsh -s /bin/appliancesh root.

Finally, onto the NSX Manager.  Connect to the manager UI, login with the admin credentials, click on 'Manage Appliance Settings', and click on 'Edit' next to 'FIPS Mode and TLS settings':

Again, this will restart the NSX Manager services but will not impact service.