Tag: VMware

VMware related material.

Posted on

Prepare Ubuntu 18.04 for Desktop Anywhere

This one was a little tricky to get set up. I am happy to say that after you follow this procedure, you will be able to access AFRC Desktop Anywhere from Ubuntu 18.04!

As always, I like to provide transparency. I am a traditional reservist in the Air Force Reserve and I also work for VMware. Anything provided here is from me and only me. Nothing here represents official notification from the USAF or VMware. Follow at your own risk. Your system and set up are most likely not identical to mine. I am using a VMware virtual machine for this guide but that should not matter for the purposes of this guide.

With that boring stuff out of the way…

Make sure your system is up-to-date.

Download Software and Packages

  • Open Terminal and type in the following: 
sudo apt install opensc opensc-pkcs11 pcsc-tools

Install the DoD Certificates into Firefox Certificate Manager

Open Firefox and select the three lines at the top-right of the window, then click on Preferences. In the Find in Preferences search box, type in Certificates. Click on the View Certificates… button.

In Certificate Manager, make sure you are on the Authorities tab and click the Import… button.

Navigate to where you downloaded and extracted the DoD certificates from earlier. Select the Certificates_PKCS7_v5.6_DoD.der.p7b file. Check the two boxes to trust the certificate. You will need to do this for each certificate you need to use. I recommend starting with DoD Root CA 2, DoD Root CA 3, DoD Root CA 4, and DoD Root CA 5. The certificates will be added under the U.S. Government heading.

Add DoD Certificates to the Ubuntu Certificate Trust

While you are here, be sure to choose the DoD Root CA 3 certificate, and then press the Export… button. Make sure the X.509 Certificate (PEM) is selected at the bottom of the window. Also do this for the DOD SW CA-53 certificate necessary for Desktop Anywhere. When you are done exporting the certificates, you can close the Certificate Manager window.

Open Terminal and copy the two files to /usr/share/ca-certificates. Use the following image if you are unsure how to accomplish this.

Now we want to reconfigure the certificate store by typing in sudo dpkg-reconfigure ca-certificates. This will open the ca-certificates configuration window. Choose Ask, then press tab to select <OK>.

Press the Space bar on the top two DoD certificate and press tab to select <OK>.

When you select <OK>, the Terminal will display the operation of adding the chosen certificates to the certificate store. Make sure the number of certificates you selected are added. In this case, there should be two.

Verify the Smart Card Reader is Accessible to the System

On the Terminal, type pcsc_scan. For the purposes of demonstration in this guide, I am going to post an image of before I connected my Smart Card reader so you can see the difference.

And then, here is an image after I connected my Smart Card reader.

Installing VMware Horizon Client for Linux

On the Terminal, navigate to your downloaded file. Add the execution bit to the bundle by typing sudo chmod u+x <filename>. See the image below for a visual.

Type sudo ./VMware-Horizon and press tab. The rest of the filename should have auto-completed. Press Enter to continue to installation. Read and accept the EULA.

Customize the installation as needed. I am going to accept the defaults.

Verify all the product install files are ready, and click the Install button.

Check the box to Register and start…, and click the Scan button.

I had a few failed results, but this should not affect my use at this time.

Go ahead and close the installer.

Configure the Smart Card Module to be Accessible for Horizon Client

Ref: https://docs.vmware.com/en/VMware-Horizon-Client-for-Linux/5.4/horizon-client-linux-installation/GUID-6CB5F6EE-E7DC-4BF7-8E2A-4542E4A78182.html

On the Terminal, make a directory in /usr/lib/vmware/view/pkcs11.

Now we are going to create a symbolic link to the OpenSC module. The VMware article helps with the syntax, but points to the incorrect location of the module. As long as you have been following along up to this point, you should not have any errors. 

sudo ln -s /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so /usr/lib/vmware/view/pkcs11/libopenscpkcs11.so

Follow the image below for the syntax.

Verify Horizon Client for Linux can use your Smart Card

Hopefully you ran the steps above to verify that Ubuntu could see and access your Smart Card reader. This step will check the log and verify that it is working for the Horizon Client.

Open up the VMware Horizon Client and wait for it to show up. Then, on the Terminal, type less /tmp/vmware-<username>/<log-file-name>. For instance I typed:

less /tmp/vmware-arombaut/vmware-horizon-client-15386.log

Look through the log until you find Initializing smartcard modules. You should see it Loaded 1 modules from /usr/lib/vmware/view/pkcs11 and see one or more certificates presented to you. The certificates that have populated UPNs are what is going to be presented to you in the Horizon UI. This information is also seen from the line, certsList has 1 certificates.

You can close the log and the Terminal.

This actually completes the setup of VMware Horizon Client for Linux. From here you can add a Server and select the appropriate CAC certificate to authenticate.

Due to customer-sensitive information, I am not able to provide further information beyond this point here. I can help you individually if you need more assistance from here though.

[email protected]

Posted on

VMware ESXi SSL Certificate Signing Request (CSR)

Need to replace the certificates with a custom certificate from a commercial or corporate Certificate Authority (CA)? You are going to need a Certificate Signing Request (CSR).

I use the certificate-manager tool (see below) included with vCenter to generate all of my requests. I found recently that you can skip this altogether if you can include the certificate’s key from the CA. In the traditional method, though, you will generate a CSR, submit to CA, and receive back a custom signed certificate.

/usr/lib/vmware-vmca/bin/certificate-manager
  • Connect to your Platform Services Controller (PSC) via SSH. This could be the same as your vCenter server.
  • Create a temporary directory to store your files in when you run the certificate-manager tool. Create a directory for each system you intend to generate CSR files for. I use the following format for my directory:
/tmp/hostname1
/tmp/hostname2
...
/tmp/hostnamen
  • Run the certificate-manager tool: 
/usr/lib/vmware-vmca/bin/certificate-manager
  • Select option 1 to replace the Machine SSL.
  • Provide the administrator username if the SSO domain is not default or press Enter.
  • Provide the administrator password.
  • Select option 1 to Generate Certificate Signing Request(s)…
  • Provide an Output directory path such as 
/tmp/hostname

The next information you will be requested to enter is for the certificate.

  • Country – Use two digit code (https://www.iso.org/obp/ui/#search)
  • Name – Use the fully qualified domain name of the server here
  • Organization – Name of your organization
  • OrgUnit – Name of your department
  • State – The state where the system resides (no abbreviations)
  • Locality – The city where the system resides
  • IPAddress – IP address of the system
  • Email – Email address for person or department responsible for administration of the system
  • Hostname – It’s best to always include a fully qualified domain name as well as a short name.
  • Proper value of VMCA ‘Name’ – I use the fully qualified domain name here

Press option 2 to Exit certificate-manager. Your csr and key files will be stored at the location you specified.

Apple Computer

If you use an Apple computer, you can use scp in the Terminal to copy the files.

$mkdir ~/Documents/Certificates/hostname/
$cd ~/Documents/Certificates/hostname/
$scp [email protected]:/tmp/hostname/*.* .

Windows Computer

If you use Windows, I recommend WinSCP. You will first need to set the shell on the Platform Services Controller to Bash.

chsh -s /bin/bash root

Follow the instructions of your CA on how to submit the CSR to be signed.

Posted on

Section 1 – Install and Configure Horizon Server Components

Objective 1.1 – Describe techniques to prepare environment for Horizon

This is a very odd objective to work through. I think the word “techniques” is what is throwing me off. To me, the word should be “requirements” and is asking the test taker what is required to prepare the environment for the installation of VMware Horizon 7.

According to the Horizon 7 Installation guide, “Horizon Connection Server has specific hardware, operating system, installation, and supporting software requirements.” (Reference: https://docs.vmware.com/en/VMware-Horizon-7/7.7/horizon-installation/GUID-858D1E0E-C566-4813-9D53-975AF4432195.html) I would also add licenses to this list as not all features are supported in all versions.

Hardware Requirements – https://docs.vmware.com/en/VMware-Horizon-7/7.7/horizon-installation/GUID-332CFB83-784A-4578-9354-888C0538909A.html

Supported Operating Systems – https://docs.vmware.com/en/VMware-Horizon-7/7.7/horizon-installation/GUID-30AA88CF-8CDF-42E5-97D4-D75B2171434B.html

Virtualization Software Requirements – https://docs.vmware.com/en/VMware-Horizon-7/7.7/horizon-installation/GUID-BB3405C3-7026-47BE-A994-0E2C01651BBF.html

Network Requirements – https://docs.vmware.com/en/VMware-Horizon-7/7.7/horizon-installation/GUID-2EC85E02-D6A8-4A75-B8B2-E7A6AE62E7CC.html

The three editions of Horizon 7 are Horizon Standard, Horizon Advanced, and Horizon Enterprise.

Objective 1.2 – Determine procedures to install Horizon Components

The following link provides a high level overview of the installation procedures. https://docs.vmware.com/en/VMware-Horizon-7/7.7/horizon-getting-started/GUID-C4C7ACB1-2283-4D6B-92CB-058DA94A4F2F.html

Objective 1.3 – Determine steps to configure Horizon Components

The link in Objective 1.2 has links to each step that help with the configuration of the components. So far though, the components have not been listed. Below is a list of a few of the components of Horizon 7.

  • View composer – used if linked clone desktops are going to be deployed
  • Horizon Connection server – this is the server that clients use to connect to the Horizon environment
  • JMP (Just-In-Time Management Platform)
  • Horizon Agent
  • Horizon Client
  • ThinApp
  • App Volumes

Objective 1.4 – Analyze End User Requirements for Display Protocol Performance

End user requirements for display protocol performance are limited to the way the client connects to the virtual desktop. The three display protocols offered are VMware Blast Extreme , PCoIP, and Microsoft RDP. Clients that connect to the desktop with HTML Access use Blast Extreme, and not PCoIP or Microsoft RDP.

For more information choosing a display protocol, reference the following VMware Doc, here.

Objective 1.5 – Diagnose and solve issues related to connectivity between Horizon server Components

This objective seems to be calling out the ports and protocols that are used within the Horizon environment. There are a lot of them as this technology ties together a lot of different components. Also, the firewall will have to be taken into account and configured appropriately. If the components are configured in the local area network or DMZ, this should cut down on the configuration needed at the edge and also provide for a more secure installation.

Here is a link to the VMware docs for the communications protocols.

Default Ports
Protocol Port
JMS TCP port 4001
TCP port 4002
AJP13 TCP port 8009
HTTP TCP port 80
HTTPS TCP port 443
MMR/CDR TCP port 9427
RDP TCP port 3389
SOAP TCP port 80 or 443
PCoIP TCP port 4172
UDP ports 4172, 50002, 55000
USB redirection TCP port 32111
VMware Blast Extreme TCP ports 8443, 22443
UDP ports 443, 8443, 22443
HTML Access TCP ports 8443, 22443
Posted on

Recover vCenter Appliance after Power/Storage Failure

Well, this would have saved me quite a bit of time in my past. My storage device got unplugged from the network while my lab was running and vCenter refused to come back. This is expected as the appliance has an embedded database.

I found this article from VMware that worked! It took less than 10 minutes.

https://kb.vmware.com/s/article/2149838

Use Shift + PgUp to scroll through the boot process and find out what filesystem, if any, is causing trouble.

Then type df -h to ensure none of the filesystems are full.

Compare /etc/fstab with the output from dh -f.

Once you have identified the missing or corrupt filesystem, run

e2fsck -y /dev/filesystem-that-needs-to-be-checked

Reboot the appliance and away you go! 

reboot
Posted on

ESXi Ruleset & Firewall Correlation

Working with VMware is usually a breeze. Unfortunately, this time I ran into an issue while setting up a new Host Profile, specifically the Ruleset Configuration for the Firewall, during the configuration for a DISA STIG. Almost all of the rules match a Firewall named rule but there are Firewall rules that do not have corresponding Ruleset names. I looked through VMware documentation, Reddit, and of course Google. I was unable to find any information where the two were together. So…I decided I would take on the task myself and of course share this with everyone.

VMware does provide an Incoming and Outgoing Firewall Ports for ESXi Hosts article (https://docs.vmware.com/en/VMware-vSphere/6.5/com.vmware.vsphere.security.doc/GUID-171B99EA-15B3-4CC5-8B9A-577D8336FAA0.html) but the service is only listed, not the corresponding Ruleset Configuration name. This is what the following table will help fill-in.

ESXi Ruleset & Firewall Correlation Table
  • Default – The service is enabled upon initial install
  • Survive Reboot – The service will be enabled after rebooting the host
  • Ruleset Name – Host Profile > Security and Services > Firewall Configuration > Firewall Configuration > Ruleset Configuration
  • Ruleset Order – This is the order the rules are presented in the Host Profile
  • Firewall Name – The name from Configure > System > Security Profile > Firewall menu
  • In-Ord – This is the order of the incoming rules in the UI
  • In – These are the ingress TCP/UDP ports
  • Out-Ord – This is the order of the outgoing rules in the UI
  • Out – These are the egress TCP/UDP ports
Firewall Services (MS Excel)Download
Firewall Services (CSV)Download
Posted on

VMware ESXi 6.5 STIG Default File Permissions

Sorry for the long title, but I wanted it to be descriptive enough to understand and search. So recently, I was testing out the VMware Fling, “DoD Security Technical Implementation Guide(STIG) ESXi VIB” to try to speed up how I secure my hosts. Unfortunately, it changed the default file permissions on my files and I didn’t have the defaults documented. So I went to my lab and installed a fresh copy of ESXi 6.5 and connected to it with SSH. Yes, I am fully aware that I should have started in my lab, then moved on to production. Eh, you win some and you lose some.

The following files are updated as part of the Fling to comply with the 6.0 STIG (http://iasecontent.disa.mil/stigs/zip/U_VMware_vSphere_6-0_ESXi_V1R4_STIG.zip). At the time of this writing, the 6.5 STIG still has not been released.

  • /etc/issue
  • /etc/pam.d/passwd
  • /etc/ssh/sshd_config
  • /etc/vmware/welcome

Here are the file permissions on a default ESXi 6.5 installation.

/etc/issue (octal 1644)

[root@localhost:~] ls -la /etc/issue
-rw-r--r-T 1 root root 0 Apr 7 2017 /etc/issue

 

/etc/pam.d/passwd (octal 1644)

[root@localhost:~] ls -la /etc/pam.d/passwd
-rw-r--r-T 1 root root 335 Apr 7 2017 /etc/pam.d/passwd

 

/etc/ssh/sshd_config (octal 1600)

[root@localhost:~] ls -la /etc/ssh/sshd_config
-rw------T 1 root root 1115 Apr 7 2017 /etc/ssh/sshd_config

 

/etc/vmware/welcome (octal 1644)

[root@localhost:~] ls -la /etc/vmware/welcome
-rw-r--r-T 1 root root 0 Apr 7 2017 /etc/vmware/welcome

 

The meaning behind each octal digit is this:

1000 is the sticky bit
0600 is read (r) and write (w) for the user
0040 is read (r) for the group
0004 is read (r) for everyone

‘chmod 1644 <filename>’ will change the mode of the file with the permission described above.

 

 

 

 

 

 

 

Posted on

Explain Available vSphere Editions and Features

Editions offered in version 6.5

  • vSphere Standard Edition
  • vSphere Enterprise Plus Edition
  • vSphere with Operations Management Enterprise Plus

Features

  • Business Continuity and Security
  • Resource Prioritization and Enhanced Application Performance
  • Automated Administration and Provisioning
  • Intelligent Operations Management Platform
  • Performance Monitoring and Analytics
  • Capacity Management
  • Extensibility Through Management Packs
  • Log Analytics