Posts

Posted on

Update vCenter Server Appliance (VCSA)

I wanted to update vCenter Server Appliance update 1 (vCenter Appliance 6.7 U1 (6.7.0.20000)) to the most current patch level which at the time of this post is Update 3k.

I navigated to VMware’s patch repository, https://my.vmware.com/group/vmware/patch#search, and selected VC and 6.7.0. I already have the appliance, so I downloaded the Appliance-Patch file as highlighted below.

Once downloaded, I added the .iso file to the VCSA virtual machine’s CD/DVD drive using the VMware Remote Console window. (It’s my personal preference to not add ISO files to datastores as I feel it is a waste of space and unnecessary)

I logged into the VMware Appliance Interface (VAMI), https://fqdn:5480, and chose Update > CHECK UPDATES > Check CD ROM. I was presented with a screen stating, “No applicable update found.” I was a little concerned and thought maybe I added the wrong ISO file, so I double checked.

After a little digging and documentation reading, I found that this upgrade path is not supported. I first have to patch to the base appliance level, in this case vCenter Appliance 6.7.0 update 3, before I can apply the security patch. The following is an excerpt from the document, Patching the vCenter Server Appliance and Platform Services Controller Appliance.

VMware makes patches available on a monthly basis. These patches can only be applied in between major releases of vCenter Server Appliance. For example, patches released for the initial release of vCenter Server Appliance 6.7, are not applicable to vCenter Server Appliance 6.7 Update 1, as any patches previously made available will be included with the Update 1 release.

https://docs.vmware.com/en/VMware-vSphere/6.7/com.vmware.vcenter.upgrade.doc/GUID-043EF6BD-78F7-412F-837F-CBDF844F850C.html

So…let’s try that again

So now that I have RTFM, I can try again in the correct order. I downloaded the vCenter Appliance Update 3 (VMware-vCenter-Server-Appliance-6.7.0.40000-14367737-patch-FP.iso) ISO from the patches repository and loaded it into the vCenter Server Appliance’s CD ROM. I went back to the VAMI and checked for updates again, this time with a positive result!

To update:

  • Click on the STAGE AND INSTALL link above the Available updates table
  • Click to check the checkbox labeled, “I accept the terms of the license agreement
  • Click NEXT button
  • Click to uncheck the checkbox labeled, “Join the VMware’s Customer Experience Improvement Program (CEIP)” [Note: this is a lab environment, follow your organization’s policy regarding this program]
  • Click NEXT button
  • Click to check the checkbox labeled, “I have backed up vCenter Server and its associated databases.” [Note: Make sure that you actually do have a backup to be safe]
  • Click FINISH button

Ref: Patching the vCenter Server Appliance by Using the Appliance Management Interface (https://docs.vmware.com/en/VMware-vSphere/6.7/com.vmware.vcenter.upgrade.doc/GUID-E2E359B1-5834-4BFF-AEFE-6CEBFC8CC3D5.html) and subsequently, Install vCenter Server Appliance Patches (https://docs.vmware.com/en/VMware-vSphere/6.7/com.vmware.vcenter.upgrade.doc/GUID-E5E78149-4AC8-4DD7-BBA8-19CC17711D40.html).

Wait for the server to install the update and show Installation succeeded. Click the Close button.

Depending on how long the process took, you may need to log into the VAMI again. Verify the Version is updated from the previous.

This time you can load up the most recent patch and follow the update procedure again.

At the end, you should have an updated appliance with the most recent patch.

Posted on

MSSQL SSL/TLS Certificate Chain Fix

I was configuring VMware App Volumes and ran into an issue where the installer reported a MS SQL security alert. Since I am trying to get this to work in a production-like environment, I did not want to just “Trust server certificate” and move along. I wanted this to be installed appropriately. A couple minutes Googling and this post is a record of my findings for the future. Hopefully, it may help you as well if you stumbled here. Here is a screenshot of the security alert.

First of all, make sure you have a CA-signed certificate loaded in the Personal store on the server hosting your MS SQL Server. You can quickly check your machine certificates by clicking the Start button or opening Run and typing certlm.msc. If you don’t have that, stop here and go get one. I used Let’s Encrypt for my certificate.

The next thing you want to do is verify the service account that is running your MS SQL Server. In my case, I am using the default NT Service\MSSQLSERVER.

Right-click on your machine certificate and point to All Tasks, and choose Manage Private Keys…

The Permissions window opens up.

Add the account you verified as the Log On As user when checking the Services.msc management console. (You may need to change the location to the local server name from the Locations… button on the side of the Select Users or Groups window.) Ensure the user has Full Control on the certificate.

Go back to the Services.msc console and restart the SQL Server service and you should no longer have authentication or trust issues with connecting services.

Posted on

Windows File and Folder Sharing Issues with Ansible and Chocolatey

This article (https://controlaltfail.wordpress.com/2017/11/23/ansible-and-chocolatey-with-windows-fileshare-repository/) proved to be a big help. I don’t want to take anything away from it, but would like to add my own notes. It was a huge help in getting this working.

Working with a client in a Windows 10 and System Center Configuration Manager (SCCM) environment, but trying to modernize how desktop images get built and deployed for a virtual desktop infrastructure (VDI). They are not going to deviate away from using SCCM, so we are trying to create an environment where the two can co-exist. Unfortunately, Chocolatey’s documentation is hard to follow and (in my opinion) not quite mature enough for the masses. I have confidence they will get there in the future and also realize that this use case is very specific and unlikely needed in the majority of environments.

In an attempt to install application packages using a Windows File and Folder source for Chocolatey packages, my colleague and I ran into issues with how the folder share was being accessed. It was successful 100% of the time by running choco install vscode from an elevated PowerShell.

So that looked good, it was assumed that it would also work in an Ansible Playbook. The playbook is very simple.

---
- hosts: all
  tasks:
  - name: Install Microsoft Visual Studio Code
    win_chocolatey:
    name: vscode
    state: latest
...

I’ll save you from zooming in and hurting your eyes. The part that catches my eyes is, “The package was not found with the source(s) listed.” Well, that’s odd because it just worked when I was on the machine. So I added another line to add an explicit source (not shown), added other lines to authenticate the source (not shown), and even added another task to add another source (not shown). Every time the playbook ran, this error displayed. So it is not the Chocolatey source.

Let me take a step back here. I forgot to mention that I originally had my .nupkg files stored on a CIFS share from my Synology NAS, not on a Windows folder share. I ended up creating a Windows File and Folder share as a troubleshooting step later.

And we’re back…I double checked my Windows share, it was shared out, the file was present, the source was accurate and visible to Chocolatey as was apparent by the test install directly on the machine. It had to be something else. My colleague ended up finding the article I posted in the top of this post. Sure enough, it worked.

How to fix it

On the folder that is being shared out, add ANONYMOUS LOGIN to the Share Permissions. Ensure the Read checkbox is checked under allow.

On the Security tab, add the ANONYMOUS LOGIN group and set the permissions to List folder contents and Read.

Lastly, open secpol.msc and add the shared folder to the Network access: Shares that can be accessed anonymous. If you look in the snip below, you can see that I have added the Chocolatey share. The setting is not well documented (without going to Internet) so I was unsure if I was supposed to use the UNC path, the explicit location, or just the name. I opted to add just the name and it worked. Mileage may very, but was not tested.

Went back to my Ansible control node and ran another test and was pleased to see that this was resolved.

I thought that was an awful lot of work and feel like I lowered security in my system just to make this work, though. There has to be a better way, but unfortunately, at this time, I am unsure of such. Please reach out to me or comment if you know how to make this work without all the leg work. Like I mentioned above, this is going to probably be an unlikely case because most Chocolatey users will be able to use a robust server or even the simple server solution.

Posted on

Test-ServiceRunning

function Test-ServiceRunning {
    param(
        [Parameter(Mandatory=$true)]    
        [String]$ServiceName
    )

    $ValidServiceNames = Get-Service | Select-Object -Property "Name"

    try {
        # Test if valid service name
        if ($ValidServiceNames.Name -contains $ServiceName) {
            #Write-Host "Service name exists and can be used!"
            $ServiceToCheck = Get-Service -Name $ServiceName -ErrorAction SilentlyContinue
            if ($ServiceToCheck | Where-Object {$_.Status -eq "Running"}) {
                #Write-Host "Running"
                return $true
            } else {
                #Write-Host "Not Running"
                return $false
            }
        } else {
            Write-Host "Not a valid service name!"
            exit
        }
    } catch {
        Write-Error "Error in processing request"
    }
}
Posted on

Prepare Ubuntu 18.04 for Desktop Anywhere

This one was a little tricky to get set up. I am happy to say that after you follow this procedure, you will be able to access AFRC Desktop Anywhere from Ubuntu 18.04!

As always, I like to provide transparency. I am a traditional reservist in the Air Force Reserve and I also work for VMware. Anything provided here is from me and only me. Nothing here represents official notification from the USAF or VMware. Follow at your own risk. Your system and set up are most likely not identical to mine. I am using a VMware virtual machine for this guide but that should not matter for the purposes of this guide.

With that boring stuff out of the way…

Make sure your system is up-to-date.

Download Software and Packages

  • Open Terminal and type in the following: 
sudo apt install opensc opensc-pkcs11 pcsc-tools

Install the DoD Certificates into Firefox Certificate Manager

Open Firefox and select the three lines at the top-right of the window, then click on Preferences. In the Find in Preferences search box, type in Certificates. Click on the View Certificates… button.

In Certificate Manager, make sure you are on the Authorities tab and click the Import… button.

Navigate to where you downloaded and extracted the DoD certificates from earlier. Select the Certificates_PKCS7_v5.6_DoD.der.p7b file. Check the two boxes to trust the certificate. You will need to do this for each certificate you need to use. I recommend starting with DoD Root CA 2, DoD Root CA 3, DoD Root CA 4, and DoD Root CA 5. The certificates will be added under the U.S. Government heading.

Add DoD Certificates to the Ubuntu Certificate Trust

While you are here, be sure to choose the DoD Root CA 3 certificate, and then press the Export… button. Make sure the X.509 Certificate (PEM) is selected at the bottom of the window. Also do this for the DOD SW CA-53 certificate necessary for Desktop Anywhere. When you are done exporting the certificates, you can close the Certificate Manager window.

Open Terminal and copy the two files to /usr/share/ca-certificates. Use the following image if you are unsure how to accomplish this.

Now we want to reconfigure the certificate store by typing in sudo dpkg-reconfigure ca-certificates. This will open the ca-certificates configuration window. Choose Ask, then press tab to select <OK>.

Press the Space bar on the top two DoD certificate and press tab to select <OK>.

When you select <OK>, the Terminal will display the operation of adding the chosen certificates to the certificate store. Make sure the number of certificates you selected are added. In this case, there should be two.

Verify the Smart Card Reader is Accessible to the System

On the Terminal, type pcsc_scan. For the purposes of demonstration in this guide, I am going to post an image of before I connected my Smart Card reader so you can see the difference.

And then, here is an image after I connected my Smart Card reader.

Installing VMware Horizon Client for Linux

On the Terminal, navigate to your downloaded file. Add the execution bit to the bundle by typing sudo chmod u+x <filename>. See the image below for a visual.

Type sudo ./VMware-Horizon and press tab. The rest of the filename should have auto-completed. Press Enter to continue to installation. Read and accept the EULA.

Customize the installation as needed. I am going to accept the defaults.

Verify all the product install files are ready, and click the Install button.

Check the box to Register and start…, and click the Scan button.

I had a few failed results, but this should not affect my use at this time.

Go ahead and close the installer.

Configure the Smart Card Module to be Accessible for Horizon Client

Ref: https://docs.vmware.com/en/VMware-Horizon-Client-for-Linux/5.4/horizon-client-linux-installation/GUID-6CB5F6EE-E7DC-4BF7-8E2A-4542E4A78182.html

On the Terminal, make a directory in /usr/lib/vmware/view/pkcs11.

Now we are going to create a symbolic link to the OpenSC module. The VMware article helps with the syntax, but points to the incorrect location of the module. As long as you have been following along up to this point, you should not have any errors. 

sudo ln -s /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so /usr/lib/vmware/view/pkcs11/libopenscpkcs11.so

Follow the image below for the syntax.

Verify Horizon Client for Linux can use your Smart Card

Hopefully you ran the steps above to verify that Ubuntu could see and access your Smart Card reader. This step will check the log and verify that it is working for the Horizon Client.

Open up the VMware Horizon Client and wait for it to show up. Then, on the Terminal, type less /tmp/vmware-<username>/<log-file-name>. For instance I typed:

less /tmp/vmware-arombaut/vmware-horizon-client-15386.log

Look through the log until you find Initializing smartcard modules. You should see it Loaded 1 modules from /usr/lib/vmware/view/pkcs11 and see one or more certificates presented to you. The certificates that have populated UPNs are what is going to be presented to you in the Horizon UI. This information is also seen from the line, certsList has 1 certificates.

You can close the log and the Terminal.

This actually completes the setup of VMware Horizon Client for Linux. From here you can add a Server and select the appropriate CAC certificate to authenticate.

Due to customer-sensitive information, I am not able to provide further information beyond this point here. I can help you individually if you need more assistance from here though.

[email protected]

Posted on

PowerShell Error Catching

PowerShell error catching has been very frustrating for me. I try to do the right thing by putting code in a Try-Catch-Finally block, but continue to struggle with catching specific errors. I don’t know why the ‘thing’ I need to catch is not output with the error. I have to go through the error and ‘hunt’ for the thing to catch. Below is the basic syntax for a PowerShell Try-Catch-Finally block.

try {
    # Do something
} catch [something here to catch] {
    # Handle the error
} finally {
    # This section will always run
}

The sample below is similar to what you would typically see after an error is caught. Unfortunately, there is nothing in the output that you can use to ‘catch’.

What you end up having to do is use 

$Error[0] | Format-List * -Force

This will show a longer output of the error, and more specifically, the ‘thing’ to ‘catch’. See the highlighted text below.

Now that there is a specific Exception to catch, we can add a new catch block to our Try-Catch-Finally block.

try {
    # Do something
} catch [System.Management.Automation.ParameterBindingException] {
    # Handle the specific error
} finally {
    # This section will always run
}

The best help I was able to find for this came from a Spiceworks post by Duffney, https://community.spiceworks.com/how_to/121063-using-try-catch-powershell-error-handling. It was by far the easiest method to discover the specific error to use in the catch block.

I am not quite sure why it is so hard to find the exception to use in the catch block or why it is just not part of the error output. I suppose for someone who codes in PowerShell everyday, this post will be laughable. I just wanted to make sure I recorded a post for future reference because I know for sure, I will struggle with this concept again.