The TLS tool can target either a cluster to work through disabling SSL and TLS 1.0 and 1.1, or it can target a single host. The customer I have been working with has many hundreds of hosts, across a number of sites... so on each vCenter, they have 50+ hosts ready to add to a cluster for consumption, depending on where the resource is required. As such, to try and use the TLS tool to disable everything except TLS 1.2 would have been running a script 50 + times, having to specify the administrator@vsphere.local password each time. Very time consuming
The easy solution as I saw it, was to add these hosts to a temporary cluster, run the script against the cluster level, then remove them... Here's how I did it:
From PowerCLI, after connecting to the vCenter in question (connect-viserver vcenter.domain.local):
$clusterless = get-vmhost | ?{ $_.Parent.Name -eq "host" }
This ran through all hosts registered against the vCenter, and found those with a parent of 'host' - i.e. not a cluster member.
From this, you can use the 'Move-VMHost' command to move all of these hosts into a temporary cluster. I named mine 'tmp':
This will move all of these hosts into your cluster (I had by this point restarted all of these hosts hence them not responding):
For the reverse, you can run the same command but replace "host" with the cluster name:
After which, you can move these back to the root datacentre level by re-running the 'Move-VMHost' command:
No comments:
Post a comment