vSphere Management Assistant Guide

vSphere 4.1

This document supports the version of each product listed and supports all subsequent versions until the document is replaced by a new edition. To check for more recent editions of this document, see http://www.vmware.com/support/pubs.

EN-000319-00

vSphere Management Assistant Guide

You can find the most up-to-date technical documentation on the VMware Web site at: http://www.vmware.com/support/ The VMware Web site also provides the latest product updates. If you have comments about this documentation, submit your feedback to: docfeedback@vmware.com

Copyright 20082010 VMware, Inc. All rights reserved. This product is protected by U.S. and international copyright and intellectual property laws. VMware products are covered by one or more patents listed at http://www.vmware.com/go/patents. VMware is a registered trademark or trademark of VMware, Inc. in the United States and/or other jurisdictions. All other marks and names mentioned herein may be trademarks of their respective companies.

VMware, Inc. 3401 Hillview Ave. Palo Alto, CA 94304 www.vmware.com

VMware, Inc.

Contents

AboutThisBook

1 IntroductiontovMA 7
vMACapabilities 7 vMAComponentOverview 8 vSphereAuthenticationMechanism 8 vSphereLoggingComponent 9 vMASamples 9 vMAUseCases 9 WritingorConvertingScripts 9 WritingorConvertingAgents 10

2 GettingStartedwithvMA 11
HardwareRequirements 12 SoftwareRequirements 12 RequiredAuthenticationInformation 12 DeployvMA 13 ConfigurevMAatFirstBoot 13 ConfigurevMAforActiveDirectoryAuthentication 14 ConfigureUnattendedAuthenticationforActiveDirectoryTargets TroubleshootingUnattendedAuthentication 15 EnabletheviuserAccount 16 AddTargetServerstovMA 16 RunningvSphereCLIfortheTargets 18 ReconfigureaTargetServer 19 RemoveTargetServersfromvMA 19 ModifyingScripts 19 ShutDownvMA 20 DeletevMA 20 TroubleshootingvMA 21

15

3 vMAInterfaces 23
vMAInterfaceOverview 23 vifptargetCommandforvifastpassInitialization 24 vifpTargetManagementCommands 24 vifpaddserver 24 vifpremoveserver 26 vifprotatepassword 26 vifplistservers 27 vifpreconfigure 28 TargetManagementExampleSequence 28 viloggerDaemonandLogManagementCommands 28 ManagementServiceInterfaceforvilogd 29 viloggerenable 29 viloggerdisable 30 viloggerupdatepolicy 31 viloggerlist 31
VMware, Inc. 3

vSphere Management Assistant Guide

UsingtheVmaTargetLibLibrary 32 VmaTargetLibReference 32 EnumeratingTargets 32 QueryingTargets 33 ProgrammaticLogin 33 ProgrammaticLogout 34

Appendix:UpdatingvMAwithvmaupdate
Introductiontovmaupdate 35 Usevmaupdate 35 UsevmaupdatewithUpdateDepots 37 vmaupdateTroubleshooting 37

35

Index 39

VMware, Inc.

About This Book

ThevSphereManagementAssistantGuideexplainshowtodeployandusevMAandincludesreference informationforvMACLIsandlibraries. Toviewthecurrentversionofthisbook,aswellasallVMwareAPIandSDKdocumentation,goto http://www.vmware.com/support/pubs/sdk_pubs.html.

Revision History
Thisbook,thevSphereManagementAssistantGuide,isrevisedwitheachreleaseoftheproductorwhen necessary.Arevisedversioncancontainminorormajorchanges.Table 1summarizesthesignificantchanges ineachversionofthisbook. Table 1. Revision History
Revision 13JUL2010 16NOV2009 Description vMA4.1release Chapter1isenhancedtoprovidedetailsaboutvMAsenhancedcapabilities,authenticationmechanisms andthechangestothesamplesisnowaCentOSbasedvirtualmachine. Chapter2providesinformationaboutconfiguringvMAforActiveDirectory.Italsoexplainshowto reconfigureatargetserver. Chapter3providesinformationaboutthenewvifptargetandvifp reconfigurecommands.Italso describestheVmaTargetLiblibrary. 21MAY2009 27OCT2008 vMA4.0documentation VIMA1.0documentation

Intended Audience
ThisbookisforadministratorsanddeveloperswithsomeexperiencesettingupaLinuxsystemandworking inaLinuxenvironment.AdministratorscanusethevMAautomatedauthenticationfacilitiesandthesoftware packagedwithvMAtointeractwithESX/ESXihostsandvCenterServersystems.Developerscancreateagents thatinteractwithESX/ESXihostsandvCenterServersystems.

VMware Technical Publications Glossary

VMwareTechnicalPublicationsprovidesaglossaryoftermsthatmightbeunfamiliartoyou.Fordefinitions oftermsastheyareusedinVMwaretechnicaldocumentationgotohttp://www.vmware.com/support/pubs.

Document Feedback
VMwarewelcomesyoursuggestionsforimprovingourdocumentation.Sendyourfeedbackto docfeedback@vmware.com.

VMware, Inc.

vSphere Management Assistant Guide

Technical Support and Education Resources

Thefollowingsectionsdescribethetechnicalsupportresourcesavailabletoyou.Toaccessthecurrentversions ofotherVMwarebooks,gotohttp://www.vmware.com/support/pubs.

Online and Telephone Support

Touseonlinesupporttosubmittechnicalsupportrequests,viewyourproductandcontractinformation,and registeryourproducts,gotohttp://www.vmware.com/support.

Support Offerings
TofindouthowVMwaresupportofferingscanhelpmeetyourbusinessneeds,goto http://www.vmware.com/support/services.

VMware Professional Services

VMwareEducationServicescoursesofferextensivehandsonlabs,casestudyexamples,andcoursematerials designedtobeusedasonthejobreferencetools.Coursesareavailableonsite,intheclassroom,andlive online.Foronsitepilotprograms andimplementationbestpractices,VMwareConsultingServicesprovides offeringsto helpyouassess,plan,build,andmanageyourvirtualenvironment.Toaccessinformationabout educationclasses,certificationprograms,andconsultingservices,gotohttp://www.vmware.com/services.

VMware, Inc.

Introduction to vMA

ThevSphereManagementAssistant(vMA)isaCentOSbasedvirtualmachinethatincludesprepackaged softwaresuchasthevSpherecommandlineinterface,andthevSphereSDKforPerl.vMAallows administratorstorunscriptsoragentsthatinteractwithESX/ESXiandvCenterServersystemswithouthaving toauthenticateeachtime.vMAcanalsocollectandstoreESX/ESXiandvCenterServerlogsforanalysis. Thechapterincludesthefollowingtopics:

vMACapabilitiesonpage 7 vMAComponentOverviewonpage 8 vMAUseCasesonpage 9

TogetstartedwithvMArightaway,gotoGettingStartedwithvMAonpage 11.

vMA Capabilities
vMAprovidesaflexibleandauthenticatedplatformforrunningscriptsandprograms.

Asadministrator,youcanaddvCenterserversandESX/ESXisystemsastargetsandrunscriptsand programsonthesetargets.Onceyouhaveauthenticatedwhileaddingatarget,youneednotloginagain whilerunningavSphereCLIcommandoragent. Asadeveloper,youcanusetheAPIsprovidedwiththeVmaTargetLiblibrarytoprogrammatically connecttovMAtargetsbyusingPerlorJava. vMAenablesreuseofserviceconsolescriptsthatarecurrentlyusedforESXadministration,thoughminor modificationstothescriptsareusuallynecessary. vMAcomespreconfiguredwithtwouseraccounts,namely,viadminandviuser.

Asviadmin,youcanperformadministrativeoperationssuchasadditionandremovaloftargets. You canalsorunvSphereCLIcommandsandagentswithadministrativeprivilegesonthe added targets. Asviuser,youcanrunthevSphereCLIcommandsandagentswithreadonlyprivilegesonthe target.

YoucanmakevMAjoinanActiveDirectorydomainandloginasanActiveDirectoryuser.Whenyourun commandsfromsuchauseraccount,theappropriateprivilegesgiventotheuseronthevCenter,ESX,or ESXisystemwouldbeapplicable. vMAcanrunagentcodethatmakeproprietaryhardwareorsoftwarecomponentscompatiblewith VMwareESX.ThesecodecurrentlyrunintheserviceconsoleofexistingESXhosts.Youcanmodifymost oftheseagentcodetoruninvMA,bycallingthevSphereAPIandCommonInformationModel(CIM) providers,ifnecessary.Developersmustmoveanyagentcodethatdirectlyinterfaceswithhardwareinto aprovider.

VMware, Inc.

vSphere Management Assistant Guide

vMA Component Overview

WhenyouinstallvMA,youarelicensedtousetheresultingvirtualmachinethatincludesallvMA components.Youcanusethevma-updateutilityfrominsidevMAtodownloadupdatesandVMware components,includingtheoperatingsystem.SeeAppendix:UpdatingvMAwithvmaupdateonpage 35. vMAincludesthefollowingcomponents.

CentOSrelease5.364bitEnterpriseLinuxvMArunsCentOSonthevirtualmachine.Youcanmovefiles betweentheESX/ESXihostandthevMAconsolebyusingthevifsvSphereCLIcommand. VMwareToolsInterfacetothehypervisor. vSphereCLICommandsformanagingvSpherefromthecommandline.SeethevSphereCommandLine InterfaceInstallationandReferenceGuide. vSphereSDKforPerlClientsidePerlframeworkthatprovidesascriptinginterfacetothevSphereAPI. TheSDKincludesutilityapplicationsandsamplesformanycommontasks. SMISvMAincludestheVMwareimplementationoftheCIMprofilescompatiblewiththeStorage ManagementInitiativeSpecification(SMISversion1.0.2)oftheStorageNetworkIndustryAssociation. WithvMA4.1,youcanspecifyESX/ESXiandvCenterServersystemsastargetservers.Thescriptthat establishestheSMIStargetserverusestheVmaTargetLiblibrary. JavaJREversion1.6RuntimeengineforJavabasedapplicationsbuiltwiththevSphereWebServices SDK.

AnSNMPServerthatenablesmonitoringofvMAisincluded.vMAdoesnotexportanyconfigurationusing SNMPanddoesnotexportorproxySNMPinformationaboutitstargetservers.TheSNMPServersupports thefollowingcoreSNMPMIBs:

RFC3418SNMPv2MIB RC2863IFMIB RFC4293IPMIB RFC2790HOSTRESOURCESMIB

vMAalsoincludesanauthenticationcomponent(vifastpass)andaloggingcomponent(vilogger).

vSphere Authentication Mechanism

vMAsauthenticationinterfaceallowsusersandapplicationstoauthenticatewiththetargetserversusing vifastpassorActiveDirectory.Whileaddingaserverasatarget,theAdministratorcandetermineifthetarget needstousevifastpassorActiveDirectoryauthentication.Forvifastpassauthentication,thecredentialsthat auserhasonthevCenter,ESX,orESXisystemarestoredinalocalcredentialstore.ForActiveDirectory authentication,theuserisauthenticatedwithanActiveDirectoryserver. WhenyouaddanESX/ESXisystemasafastpasstargetserver,vifastpasscreatestwouserswithencrypted passwordsonthetargetserver:

viadminwithadministratorprivileges viuserwithreadonlyprivileges

vifastpassstoresthepasswordinformationforthetargetserveronvMA. ThecreationofviadminandviuserdoesnotapplyforActiveDirectoryauthenticationtargets.Whenyouadd asystemasanActiveDirectorytarget,vMAdoesnotstoreanyinformationaboutthecredentials.Tousethe ActiveDirectoryauthentication,theadministratormustconfigurevMAforActiveDirectory.Formore informationonhowtoconfigurevMAforActiveDirectory,seeConfigurevMAforActiveDirectory Authenticationonpage 14. Afteraddingatargetserver,youmustinitializevifastpasssothatyoudonothavetoauthenticateeachtime yourunvSphereCLIcommands.IfyourunavSphereCLIcommandwithoutinitializingvifastpass,youwill beaskedforusernameandpassword.

VMware, Inc.

Chapter 1 Introduction to vMA

Youcaninitializevifastpassusingoneofthefollowingmethods:

Runvifptarget.Formoreinformationaboutthisscript,seevifptargetCommandforvifastpass Initializationonpage 24. CalltheLoginmethodinaPerlorJavaprogram.Formoreinformationaboutthismethod,see VmaTargetLibReferenceonpage 32.

Aftersettingupatargetusingthevifptargetcommand,youcanrunvSphereCLIcommandsorscriptsthat usevSphereSDKforPerlwithoutprovidinganyauthenticationinformation.Toruncommandsagainstan ESXorESXisystemthatismanagedbyavCenterserver,youcanusethe-vihostoption. YouneedtorunthevifptargetcommandortheLoginmethodonce,eachtimeyoulogintovMA.Thetarget thatyouspecifyinthevifptargetcommandisthedefaulttarget.Targetserversremaintargetsacross reboots.Youcanoverrideitbyusingthe-serveroptionofthevSphereCLIcommandsasshowninthe followingexample: vifptarget -s esx1.foo.com vicfg-nics -l #liststhenicsonesx1.foo.com

vicfg-nics -l -server esx2.foo.com #liststhenicsonesx2.foo.com

vSphere Logging Component

ThevSphereloggingcomponent,vilogger,collectslogfilesfromtargetESX/ESXi/vCenterhostsaccordingto thespecifiedlogpolicy.viloggerconsistsofalogdaemon(vilogd)thatcollectsandprocesseslogfilesand theviloggerCLIthatsupportsloggerconfiguration. ThelogdaemonstartswhenvMAboots.Thedaemonstartscollectinglogswhenloggingisenabledona specifiedtargetserverforaspecifiedlog.Thedaemondoesnotdownloadlogsthatwerecreatedbefore loggingwasenabledonvMA.Thedaemonwakesupperiodicallytoretrieveloginformationaccordingtothe logpolicy.IfthetimedifferencebetweentheESX/ESXihostandvMAismorethanonesecond,thelogdaemon adjuststhetimestampsinthelogtocorrespondtothevMAtimeandtimezone.IftheESX/ESXihostandvMA aretimesynchronized,notimestampadjustmentisnecessary. Bydefault,vilogdplacesthelogsin/var/log/vmware.Tospecifyadifferentloglocation,changethe /etc/vmware/vMA/vMA.conffile.vilogdplacesthelogsinthenewlocation.

vMA Samples
vMAsamplesillustratethevMACLIsandtheVmaTargetLiblibrary.ThesamplesareavailableinvMAat /opt/vmware/vma/samples.EachsampleincludesaREADMEfile.

bulkAddServers.plPerlsamplethataddsmultipletargetstovMA. mcli.plPerlsamplethatrunsavSphereCLIcommandonmultiplevMAtargetsspecifiedinafile suppliedasanargument.Youmustrunvifptargetbeforerunningthisscript. listTargets.pl PerlsamplethatretrievesinformationandversionofvMAtargetsusing vMaTargetLib. listTargets.sh JavasamplethatdemonstratesuseofVmaTargetLib.

vMA Use Cases

Thissectionlistsafewtypicalusecases.

Writing or Converting Scripts

YoucanrunexistingvSphereCLIorvSphereSDKforPerlscriptsfromvMA.Tosettargetserversandinitialize vifastpass,thescriptcanusetheVmaTarget.login() methodofVmaTargetLib.

VMware, Inc.

vSphere Management Assistant Guide

Writing or Converting Agents

PartnersorcustomerscanusevMAtowriteorconvertagents.

ApartnerorcustomerwritesanewagentinPerl. WhenapartnerorcustomerwritesanewagentinPerl,thePerlscriptmustimportthevifplibPerl moduleandallvSphereSDKforPerlmodules.InsteadofcallingthevSphereSDKforPerlsubroutine Util::Connect(targetUrl, username, password),theagentcalls VmaTargetLib::VmaTarget.login().

ApartnerorcustomerrunsanagentwritteninPerlorJavaintheserviceconsoleandwantstoportthe agenttovMA. TheagentusescodesimilartothefollowingPerllikepseudocodetologintoESX/ESXihosts:

LoginToMyEsx() { SessionManagerLocalTicket tkt = SessionManager.AcquireLocalTicket(userName); UserSession us = sm.login(tkt.userName, tkt.passwordFilePath); }

Thepartnerchangestheagenttousecodesimilartothefollowingpseudocodeinstead:
LoginToMyEsx(String myESXName) { VmaTarget target = VmaTargetLib.queryTarget(myESXName); UserSession us = target.login(); }

ThispseudocodeassumesonlyonevMAtarget.Formultipletargetservers,thecodecanspecifyany targetserverorloopthroughalistoftargetservers.

ApartnerorcustomerrunsanagentwritteninPerloutsidetheESX/ESXisystemandportstheagentto vMA. InsteadofcallingthevSphereSDKforPerlmethodUtil::Connect(),theagentcallsthevifplibrary methodVmaTargetLib::VmaTarget.login().

10

VMware, Inc.

Getting Started with vMA

YoushouldhavesomeexperiencesettingupaLinuxsystemandworkinginaLinuxenvironment.This chapterexplainshowtodeployandconfigurevMA,howtoaddandremovetargetservers,andhowto prepareandrunscripts.Thechapteralsoincludestroubleshootinginformation. ReadChapter 1,IntroductiontovMA,onpage 7forbackgroundinformationonvMAfunctionalityand availablevMAcomponents. IMPORTANTYoucanupgradeavMA4.0systemtovMA4.1GA.However,youcannotupgradeaVIMA1.0 systemtovMA4.1. Thischapterincludesthefollowingtopics:

HardwareRequirementsonpage 12 SoftwareRequirementsonpage 12 RequiredAuthenticationInformationonpage 12 DeployvMAonpage 13 ConfigurevMAatFirstBootonpage 13 ConfigurevMAforActiveDirectoryAuthenticationonpage 14 ConfigureUnattendedAuthenticationforActiveDirectoryTargetsonpage 15 EnabletheviuserAccountonpage 16 AddTargetServerstovMAonpage 16 RunningvSphereCLIfortheTargetsonpage 18 ReconfigureaTargetServeronpage 19 RemoveTargetServersfromvMAonpage 19 ModifyingScriptsonpage 19 ShutDownvMAonpage 20 DeletevMAonpage 20 TroubleshootingvMAonpage 21

VMware, Inc.

11

vSphere Management Assistant Guide

Hardware Requirements
TosetupvMA,youmusthaveanESX/ESXihost.BecausevMArunsa64bitLinuxguestoperatingsystem, theESX/ESXihostonwhichitrunsmustsupport64bitvirtualmachines. TheESX/ESXihostmusthaveoneofthefollowingCPUs:

AMDOpteron,revEorlater IntelprocessorswithEM64TsupportwithVTenabled.

Opteron64bitprocessorsearlierthanrevE,andIntelprocessorsthathaveEM64Tsupportbutdonothave VTsupportenabled,donotsupporta64bitguestoperatingsystem.Fordetailedhardwarerequirements,see theHardwareCompatibilityListontheVMwareWebsite. Bydefault,vMAusesonevirtualprocessor,andrequires5GBofstoragespaceforthevMAvirtualdisk.The recommendedmemoryforvMAis512MB.

Software Requirements
YoumusthavethefollowingsoftwaretodeployvMA:

vSphere4.1 vSphere4.0YoucandeployvMAtoESX/ESXisystemsusingavSphereClientconnecteddirectlytothe ESX/ESXisystemorusingavSphereClientconnectedtoavCenterServer4.0system. ESX/ESXi3.5Update2andlaterYoucandeployonESX/ESXi3.5Update2orlaterusingavSphere4.0 Client. vSphereClientYouneedavSphereClientfordeployingvMA.

YoucanusevMAtotargetESX/ESXi3.5Update2orlater,ESX/ESXi4.0and4.1,andvCenterServer4.0and 4.1systems. Atruntime,thenumberoftargetsasinglevMAinstancecansupportdependsonhowitisused.Factorsthat affectthenumberoftargetsincludehowmanylogfilesvMAiscollecting,howoftenvMAupdatesthelog files,andhowoftendataareaddedtothoselogfiles.vMAhasbeentestedwithover100targetsundernormal loadconditions.

Required Authentication Information

BeforeyoubeginvMAconfiguration,obtainthefollowingusernameandpasswordinformation:

vCenterServersystemIfyouwanttouseavCenterServersystemasthetargetserver,youmustbeable toconnecttothatsystem. IfyouareusingavCenterServertarget,youdonotneedpasswordsfortheESX/ESXisystemsthat vCenterServersystemmanages,unlessyouruncommandsthatdonotsupportvCenterServertargets.

ESX/ESXihostYoumusthavetherootpasswordortheusernameandpasswordforauserwith administrativeprivilegesforeachESX/ESXihostyouaddasavMAtarget.Youdonotneedthe authenticationinformationwhenyouremoveatargethost. vMAWhenyoufirstlogintovMA,vMApromptsforapasswordfortheviadminuser.Specifya passwordandrememberitforsubsequentlogins.TheviadminuserhasrootprivilegesonvMA. IMPORTANTTherootuseraccountisdisabledonvMA.Torunprivilegedcommands,typesudo <command>.Bydefault,onlyviadmincanruncommandsthatrequiresudo.

12

VMware, Inc.

Chapter 2 Getting Started with vMA

Deploy vMA
YoucandeployvMAbyusingafileorfromaURL.Ifyouwanttodeployfromafile,downloadandunzipthe vMAZIPfilebeforeyoustartthedeploymentprocess. IMPORTANTYoucanupgradeavMA4.0systemtovMA4.1.However,youcannotupgradeaVIMA1.0 systemtovMA4.1 To deploy vMA 1 2 3 UseavSphereClienttoconnecttoasystemthatisrunningESX/ESXi4.1,ESX/ESXi4.0,ESX/ESXi3.5 Update2orlater,orvCenterServer4.0. IfconnectedtoavCenterServersystem,selectthehosttowhichyouwanttodeployvMAintheinventory pane. SelectFile>DeployOVFTemplate. TheDeployOVFTemplatewizardappears. 4 5 6 7 8 9 SelectDeployfromfileifyouhavealreadydownloadedandunzippedthevMAvirtualappliance package. Click Browse,selecttheOVF,andclickNext. ClickNextwhenthedownloaddetailsaredisplayed. Acceptthelicenseagreement. (Optional)Specifyanameforthevirtualmachine. Selectalocationforthevirtualmachinewhenprompted. IfyouareconnectedtoavCenterServersystem,youcanselectafolder. 10 IfconnectedtoavCenterServersystem,selecttheresourcepoolforthevirtualmachine. Bydefault,thetoplevelrootresourcepoolisselected. 11 12 Ifprompted,selectthedatastoretostorethevirtualmachineonandclickNext. SelectthenetworkmappingandclickNext. IMPORTANTMakesurevMAisconnectedtothemanagementnetworkonwhichthevCenterServerand ESX/ESXisystemsthatareintendedvMAtargetsarelocated. 13 ReviewtheinformationandclickFinish. ThewizarddeploysthevMAvirtualmachinetothehostthatyouselected.The deployprocesscantake severalminutes. NextyouconfigureyourvMAvirtualmachine.YouperformthistaskwhenyoulogintovMAthefirsttime.

Configure vMA at First Boot

WhenyoustartthevMAvirtualmachinethefirsttime,youcanconfigureit. To configure vMA 1 2 3 InthevSphereClient,rightclickthevirtualmachine,andclickPowerOn. SelecttheConsoletab. Answerthenetworkconfigurationprompts. Ifmultiplenetworkadaptersareonthehost,youcanusethevSphereClienttoaddasecondnetwork adaptertovMA.

VMware, Inc.

13

vSphere Management Assistant Guide

Whenprompted,specifyahostnameforvMA. Thenamecanincludeupto64alphanumericcharacters. YoucanlaterchangethevMAhostnamebymodifyingthe/etc/sysconfig/networkfile,asyouwould foranyLinuxhost.

Whenprompted,specifyapasswordfortheviadminuser. Thisuserhasrootprivileges. ThepromptusestheLinuxpasswdutility:

Ifyouspecifyapasswordconsideredinsecure,aBad Passwordmessageisdisplayed.Choosea differentpassword.Forinformationaboutrequirementsforsecurepasswords,searchtheInternetfor Linuxsecurepassword. Youcanusespecialcharactersdirectlyattheprompt.Youdonotneedtoprecedespecialcharacters withescapecharactersorsurroundwordsthatcontainspecialcharactersinquotes.

YoucanlaterchangethepasswordfortheviadminuserusingtheLinuxpasswdcommand. vMAisnowconfiguredandpromptsyoutologinasviadmin.Asviadmin,youcanaddserverstovMAand runcommandsfromthevMAconsole.

Configure vMA for Active Directory Authentication

ConfigurevMAforActiveDirectoryauthenticationsothatESXandvCenterserversaddedtoActiveDirectory canbeaddedtovMAwithouthavingtostorethepasswordsinvMAscredentialstore.Thisisamoresecure wayofaddingtargetstovMA. EnsurethattheDNSserverconfiguredforvMAisthesameastheDNSserverofthedomain.Ifyouwantto changetheDNSserver,youcanusethefollowingcommand:
sudo system-config-network-tui

EnsurethatthedomainisaccessiblefromvMA.Also,ensurethatyoucanpingthevCenterserversystemsthat youwanttoaddtovMAandthatpingingresolvesthevCenterIPaddressto<VCservername.domainname>, wheredomainnameisthedomaintowhichvMAistobeadded. To add vMA to a domain 1 FromthevMAconsole,runthefollowingcommand:

sudo domainjoin-cli join <domain-name> <domain-admin-user>

Whenprompted,providetheActiveDirectoryadministratorspassword. Onsuccessfulauthentication,thecommandaddsvMAasamemberofthedomain.Thecommandalso addsentriesinthe/etc/hostsfilewithvmaHostname.domainname.

RestartvMA. Now,youcanaddanActiveDirectorytargettovMA.Forstepstodothis,seeAddTargetServersto vMAonpage 16.

To check vMA's domain settings FromthevMAconsole,runthefollowingcommand:

sudo domainjoin-cli query

ThecommanddisplaysthenameofthedomaintowhichvMAhasjoined.

14

VMware, Inc.

Chapter 2 Getting Started with vMA

To remove vMA from the domain FromthevMAconsole,runthefollowingcommand:

sudo domainjoin-cli leave

ThevMAconsoledisplaysamessagestatingwhethervMAhaslefttheActiveDirectorydomain.

Configure Unattended Authentication for Active Directory Targets

Toconfigureunattendedauthentication(authenticationfromviadminorrootcontext)toActiveDirectory targets,youmustrenewtheKerberosticketsforthedomainuserusingwhichthetargetisadded. To configure unattended authentication for Active Directory targets 1 2 OnanyWindowsServer2003computerthatispartofthedomaintowhichvMAisadded,downloadand installtheKtpasstoolfromtheMicrosoftWebsite. Openthecommandpromptandrunthefollowingcommand:
ktpass /out foo.keytab /princ foo@VMA-DC.ENG.VMWARE.COM /pass ca... /ptype KRB5_NT_PRINCIPAL -mapuser <vma-dc>\<foo>

where,<vmadc>isthenameofthedomainandfooistheuserhavingpermissionsforthevCenter administration. Thiscommandcreatesafilecalledfoo.keytab. 3 Movethefoo.keytabfileto/home/local/VMA-DC/foo. YoucanuseWinSCPandloginasuservma-dc\footomovethefile. 4 (Optional)Makesurethattheuservmadc\fooonvMAownsthefoo.keytabfilebyusingthefollowing commands:

ls -l /home/local/VMA-DC/foo/foo.keytab chown vma-dc\foo/home/local/VMA-DC/foo/foo.keytab

OnvMA,createascriptin/etc/cron.hourly/kticket-renewwiththefollowingcontents:
#!/bin/sh su - vma-dc\\foo -c '/usr/kerberos/bin/kinit -k -t /home/local/VMA-DC/foo/foo.keytab foo'

Thisscriptwillrenewtheticketfortheuserfooeveryhour. ForeverydomainuserwhoaddsatargettovMA,updatethisscriptinordertorenewtheticket.Also, installakeytabfileforeverysuchuser.Ifmorethanonetargetusesthesamedomainuser,thenonlyone entryissufficientforallthosetargets. Youcanalsoaddtheabovescripttoaservicein/etc/init.dtorefreshtheticketswhenvMAisbooted.

Troubleshooting Unattended Authentication

IfyouarenotabletoauthenticatefromvMAorcannotaddvMAtothedomaincontroller,verifythefollowing conditions:

YourDNSserversetupinvMAresolvestheIPaddressorhostnameofthevCenterservertoafully qualifieddomainname(FQDN)andthattheFQDNcontainsthedomainnametowhichvMAisadded. Thecommandvifp listservershowsthenameofvCenterserverastheFQDNthatcontainsthe domainnametowhichvMAisaddedasthesuffix. ThedateandtimesettingsonvMA,thedomaincontrollerandthevCenterserverarethesame.Verifythe timezoneaswell.Thetimemayvarybyanhour,butalargetimeskewmightcauseauthentication problems.

VMware, Inc.

15

vSphere Management Assistant Guide

Enable the vi-user Account

Aspartofconfiguration,vMAcreatesaviuseraccountwithnopassword.However,youcannotusethe viuseraccountuntilyouhavespecifiedaviuserpassword. IMPORTANTTheviuseraccounthaslimitedprivilegesonthetargetESX/ESXisystemsandcannotrunany viloggercommandsoranycommandsthatrequiresudoexecution. YoucannotuseviusertoruncommandsforActiveDirectorytargets(ESXorvCenter).Toruncommandsfor theActiveDirectorytargets,usethevi-adminuserorloginasanActiveDirectoryusertovMA. To enable the vi-user account 1 2 LogintovMAasviadmin. RuntheLinuxpasswdcommandforviuserasfollows:
sudo passwd vi-user

IfthisisthefirsttimeyouusesudoonvMA,amessageaboutrootuserprivilegesappears,andyouare promptedforthevMArootpassword. 3 4 IfyouarepromptedforthevMArootpassword,specifytheviadminpassword. Whenprompted,typeandconfirmthepasswordforviuser.

AftertheviuseraccountisenabledonvMA,ithasnormalprivilegesonvMAbutisnotinthesudoerslist. WhenyouaddESX/ESXitargetservers,vMAcreatestwousersoneachtarget:

viadminhasadministrativeprivilegesonthetargetsystem. viuserhasreadonlyprivilegesonthetargetsystem.vMAcreatesviuseroneachtargetthatyouadd, evenifviuserisnotcurrentlyenabledonvMA.

WhenauserisloggedintovMAasviuser,vMAusesthataccountontargetESX/ESXihosts,andtheusercan runonlycommandsontargetESX/ESXihoststhatdonotrequireadministrativeprivileges.

Add Target Servers to vMA

AfteryouconfigurevMA,youcanaddtargetserversthatrunvCenterServerversion4.0orESX/ESXi version 3.5Update2orlater. ForvCenterServersystemtargets,youmusthavethenameandpasswordofauserwhocanconnecttothat system.ForESX/ESXisystems,youmusthavetherootpassword. Seevifpaddserveronpage 24forthecompletesyntax. To add a vCenter Server system as a vMA target for Active Directory Authentication 1 2 LogintovMAasviadmin. AddaserverasavMAtargetbyrunningthefollowingcommand:
vifp addserver vc1.mycomp.com --authpolicy adauth --username ADDOMAIN\\user1

Here,authpolicyadauthindicatesthatthetargetneedstousetheActiveDirectoryauthentication. Ifyourunthiscommandwithouttheusernameoption,vMApromptsforthenameoftheuserthatcan connecttothevCenterServersystem.Youcanspecifythisusernameasshowninthefollowingexample:

Enter username for machinename.example.com: ADDOMAIN\user1

16

VMware, Inc.

Chapter 2 Getting Started with vMA

Verifythatthetargetserverhasbeenadded. Thedisplayshowsalltargetserversandtheauthenticationpolicyusedforeachtarget.
vifp listservers --long server1.mycomp.com server2.mycomp.com server3.mycomp.com vc1.mycomp.com ESX ESX ESXi vCenter adauth fpauth adauth adauth

Setthetargetasthedefaultforthecurrentsession:
vifptarget --set | -s <server>

VerifythatyoucanrunavSphereCLIcommandwithoutauthenticationbyrunningacommandonone oftheESX/ESXihosts,forexample:
vicfg-nics -l --vihost <esx_host>

Thecommandrunswithoutpromptingforauthenticationinformation. IMPORTANTIfthenameofatargetserverchanges,youmustremovethetargetserverbyusingvifp removeserverwiththeoldname,thenaddtheserverusingvifp addserverwiththenewname. To add a vCenter Server system as a vMA target for fastpass Authentication 1 2 LogintovMAasviadmin. AddaserverasavMAtargetbyrunningthefollowingcommand:
vifp addserver vc2.mycomp.com --authpolicy fpauth

Here,authpolicyfpauthindicatesthatthetargetneedstousethefastpassauthentication. 3 Specifytheusernamewhenprompted:
Enter username for machinename.example.com: MYDOMAIN\user1

Specifythepasswordforthatuserwhenprompted.
user1@machine.company.com's password: <not echoed to screen>

5 6

Reviewandacceptthesecurityriskinformation. Verifythatthetargetserverhasbeenadded. Thedisplayshowsalltargetserversandtheauthenticationpolicyusedforeachtarget.

vifp listservers --long server1.mycomp.com server2.mycomp.com server3.mycomp.com vc1.mycomp.com vc2.mycomp.com ESX ESX ESXi vCenter vCenter adauth fpauth adauth adauth fpauth

Setthetargetasthedefaultforthecurrentsession.
vifptarget --set | -s <server>

VerifythatyoucanrunavSphereCLIcommandwithoutauthenticationbyrunningacommandonone oftheESX/ESXihosts,forexample:
vicfg-nics -l --vihost <esx_host>

Thecommandrunswithoutpromptingforauthenticationinformation. IMPORTANTIfthenameofatargetserverchanges,youmustremovethetargetserverbyusingvifp removeserverwiththeoldname,thenaddtheserverusingvifp addserverwiththenewname.

VMware, Inc.

17

vSphere Management Assistant Guide

To add an ESX/ESXi host as a vMA target 1 2 LogintovMAasviadmin. RunaddservertoaddaserverasavMAtarget.

vifp addserver <servername>

Youarepromptedforthetargetserversrootuserpassword.
root@<servername>s password:

SpecifytherootpasswordfortheESX/ESXihostthatyouwanttoadd. vMAdoesnotretaintherootpassword.Instead,vMAaddsviadminandviusertotheESX/ESXihost, andstorestheencryptedpasswordsthatitgeneratesforthoseusersintheVMwarecredentialstore. InavSphereclientconnectedtothetargetserver,theRecentTaskspaneldisplaysinformationaboutthe usersthatvMAadds.ThetargetserversUsersandGroupspaneldisplaystheusersifyouselectit. CAUTIONRemoveusersaddedbyvMAfromthetargetserveronlyifyoudeletedthevMAvirtual machinebutdidnotremovethetargetservers.

Verifythatthetargetserverhasbeenadded:
vifp listservers

Setthetargetasthedefaultforthecurrentsession.
vifptarget --set | -s <server>

VerifythatyoucanrunavSphereCLIcommandwithoutauthenticationbyrunningacommand,forexample:
vicfg-nics -l

IMPORTANTIfthenameofatargetserverchanges,youmustremovethetargetserverusingvifp removeserverwiththeoldname,thenaddtheserverusingvifp addserverwiththenewname.

Running vSphere CLI for the Targets

Ifyouhaveaddedmultipletargetservers,bydefault,vMAexecutescommandsonthefirstserverthatyou added.Youshouldspecifytheserverexplicitlywhenrunningcommands. To run vSphere CLI for the targets 1 AddserversasvMAtargets.
vifp addserver <server1> vifp addserver <server2>

Runvifptarget.
vifptarget -s <server2>

Thecommandinitializesthespecifiedtargetserver.Now,thisserverwillbetakenasthedefaulttargetfor thevSphereCLIorvSphereSDKforPerlscripts. 3 Verifythatthetargetserverhasbeenadded:

vifp listservers

InitializevifastpassforuseofvSphereSDKforPerlandvSphereCLIscriptsonthetargetserver.
vifptarget --set | -s <server>

RunvSphereCLIorvSphereSDKforPerlscripts,byspecifyingthetargetserver.Forexample:
vicfg-nics --server server2 --list

UsethefollowingcommandforanActiveDirectorytarget:
vicfg-nics -l --vihost <esx_host>
18 VMware, Inc.

Chapter 2 Getting Started with vMA

Reconfigure a Target Server

Youcanreconfigureatargetserverifyouwanttoperformanyofthefollowingtasks:

ChangetheauthenticationmodeofavMAtargetfromvifastpasstoActiveDirectoryorviceversa. ChangetheconfigureduserfortheActiveDirectorytarget. Recoverusersforthevifastpasstarget.AuserneedstoberecoveredifthecredentialstoreonvMAis corruptedorifthecredentialsofuserscorrespondingtovMAusersaremodifiedandnotreflectedinvMA.

To change the authentication policy 1 2 LogintovMAasviadmin. Runreconfigure

vifp reconfigure <servername> --authpolicy <authpolicy>

Whenprompted,specifytherootusernameonthetargetserver.

To change the configured user or to recover users 1 2 LogintovMAastheadministratoruser(viadmin). Runreconfigure.

vifp reconfigure <servername>

Whenprompted,specifytherootusernameonthetargetserver.

Remove Target Servers from vMA

BeforeyoudeleteavMAvirtualmachine,removealltargetserversfromvMA.Ifyoudonotremovetarget ESX/ESXihosts,theviadminandviuserusersremainonthetargetservers. To remove a vCenter Server system from vMA 1 2 LogintovMAasauserthatcanconnecttothevCenterServersystem. ToremoveatargetvCenterServersystemfromvMA,runthefollowingcommand:
vifp removeserver <servername>

ThevCenterServersystemisnolongeravMAtarget. To remove an ESX/ESXi host from vMA 1 2 LogintovMAasviadmin. ToremoveanESX/ESXihostthatisavMAtarget,runthefollowingcommand:

vifp removeserver <host>

TheRecentTaskspanelofthetargetserverdisplaysinformationabouttheviadminandviuserusersthat arebeingremoved.TheUsersandGroupspanelofthetargetservernolongerdisplaystheusers.

Modifying Scripts
YoucanmodifyserviceconsolescriptstorunfromvMA.

LinuxcommandsScriptsrunninginvMAcannotuseLinuxcommandsinthewaythattheydoonthe ESXserviceconsole.TheLinuxinstallationisrunningonvMA,notontheESX/ESXihost. AccesstoESX/ESXifilesIfyouneedaccesstofoldersorfilesonanESX/ESXihost,youcanmakethat hostatargetserverandusethevifsvSphereCLIcommandtoview,retrieve,ormodifyfoldersandfiles.

VMware, Inc.

19

vSphere Management Assistant Guide

ReferencestolocalhostScriptscannotrefertolocalhost.

IfvMAhasonlyonetargetserverinitializedforvifastpass,allcommandsapplytothattargetserver. IfvMAhasmultipletargetserversinitializedforvifastpass,specifythehostnameortheIPaddress forthetargetserver.

ProgrammaticconnectionInPerlscriptsorJavaprograms,youcancallVmaTarget.login() method of vMATargetLibandspecifythehosttoconnectto.Thedirectory/opt/vmware/vma/samplescontains examplesinPerlandJava.vMAhandlesauthenticationiftheserverhasbeenestablishedasatarget server.Programscanusevifpliblibrarycommands.SeeUsingtheVmaTargetLibLibraryonpage 32. NoprocnodesSomeserviceconsolescriptsstilluseVMwareprocnodes,whichwereofficiallymade obsoletewithESXServer3.0andarenotavailableinESX/ESXi4.0andlater.Youcanextractinformation thatwasavailableinVMwareprocnodesusingthevSphereCLIcommandsavailableonvMA. TargetspecificationYoumustspecifythetargetserverwhenyouruncommandsorscripts.

Table 21liststhevMAcomponentsthatyoucanuseformodifyingscriptsthatincludeprocnodesandLinux commands. Table 2-1. vMA Components for Use in Scripts
vMA Component vSphereCLIcommands vifsvSphereCLI command vSphereSDKforPerl Description ManageESX/ESXihostsandvirtualmachines. Performcommonoperations,suchascopy,remove, get,andput,onfilesanddirectories. AccessthevSphereAPI,aWebservicesbasedAPIfor managing,monitoring,andcontrollingthelifecycleof allvSpherecomponents. Performcommonadministrativetasks. For more information vSphereCommandLineInterface InstallationandReferenceGuide. vSphereCommandLineInterface InstallationandReferenceGuide. vSphereSDKforPerlProgramming Guide. vSphereSDKforPerlUtility ApplicationsReference. CommandsareonvMAin /usr/lib/vmware-vcli/apps vSphereSDKforPerlWS Managementcomponent AccessCIM/SMASHdata.ESX/ESXisupportsmany SystemsManagementArchitectureforServer Hardware(SMASH)profiles,enablingsystem managementclientapplicationstocheckthestatusof underlyingservercomponentssuchasCPU,fans, powersupplies,andsoon. vSphereSDKforPerlProgramming Guide.

vSphereSDKforPerl utilityapplications

Shut Down vMA

BeforeyoupoweroffvMA,shutdownthevirtualmachine. To shut down the vMA virtual machine 1 2 ShutdowntheoperatingsystemusingaLinuxcommandsuchasthehaltcommandonthevMA commandline. PoweroffthevMAvirtualmachineusingthevSphereClient.

Delete vMA
IfyouintendtodeployanewerversionofvMA,orifyounolongerneedvMA,youcandeletethevMAvirtual machine. IMPORTANTIfyoudeletevMAwithoutremovingallservers,theviadminandviuserusersremainonthe targetESX/ESXihosts.ThenexttimeyouaddthehosttoavMAinstance,vMAcreatesausernamewitha differentnumericextension.

20

VMware, Inc.

Chapter 2 Getting Started with vMA

To delete the vMA virtual machine 1 2 3 4 RemoveallvMAtargetserversyouadded.SeeRemoveTargetServersfromvMAonpage 19. ShutdownvMA. PoweroffthevirtualmachinebyusingthevSphereClient. InthevSphereClient,rightclickthevirtualmachineandselectDeletefromDisk.

Troubleshooting vMA
YoucanfindtroubleshootinginformationforallVMwareproductsinVMwareKnowledgeBasearticlesand informationaboutvMAknownissuesinthereleasenotes.Table 22explainsafewcommonlyencountered issuesthatareeasilyresolved. Table 2-2. Troubleshooting vMA
Issue YoucandeployvMAbutwhenyoustartupthevirtual machine,anerroroccurs. YouaddaserverbutthevSphereCLIcommandorPerl scriptstillpromptsforauthentication. Youhaveaddedmultipleservers.Youdonotknow wherevMArunsvSphereCLIcommandsifyoudonot specify--server. YouwanttoenableDNSresolutioninvMA. Resolution Checkwhetheryoursetupmeetsthehardwareandsoftware requirementslistedinHardwareRequirementson page 12. Runviftargetforthetargetserver. Afteracalltovifptarget,yourpromptchangestoinclude thecurrenttarget. YoucanconfiguretheDNSresolutionnameserverforvMA byupdatingthe/etc/resolv.conffile.Addthefollowing lineforeachDNSserverinyournetwork: nameserver <dns server ip address> Typeman resolv.conffordetailsonthatfile. IfvMAissetupforDHCP,andthenetworkisrestarted, changesyoumadeto/etc/resolv.confarelost. ProblemswhileaddingActiveDirectorytarget orconfiguringvMAforActiveDirectory. IfyouareunabletoauthenticatefromvMAorcannotadd vMAtothedomaincontroller,checkthefollowing:

YourDNSserversetupinvMAresolvestheIPaddressor hostnameofthevCenterservertoanFQDNandthe FQDNcontainsthedomainnametowhichvMAis added. Thevifp listservercommandshowsthenameof vCenterastheFQDNthatcontainsthedomainnameto whichvMAisaddedasthesuffix. ThedateandtimesettingsonvMA,thedomain controllerandvCenterServerareidentical.Checkthe timezoneaswell.Thetimemaynotexactlybethesame butmayvarybyanhour.However,alargeskewinthe timemaycauseauthenticationproblems.

VMware, Inc.

21

vSphere Management Assistant Guide

22

VMware, Inc.

vMA Interfaces

vMAinterfacesallowyoutoinitializevifastpass,add,remove,andlisttargetservers,managepasswords,and managetheviloggervMAcomponent.TheinterfacesareavailableasPerlcommandsandJavamethods. Thischapterincludesthefollowingtopics:

vMAInterfaceOverviewonpage 23 vifptargetCommandforvifastpassInitializationonpage 24 vifpTargetManagementCommandsonpage 24 TargetManagementExampleSequenceonpage 28 viloggerDaemonandLogManagementCommandsonpage 28 UsingtheVmaTargetLibLibraryonpage 32 VmaTargetLibReferenceonpage 32

vMA Interface Overview

Table 31showswhichinterfacesincludewhichcommandandmethod. Table 3-1. vMA Interface Overview
Interface / Library vifptarget vifp (administrative interface) Commands vifptarget addserver removeserver rotatepassword listservers reconfigure vilogger (logginginterface) enable disable updatepolicy list VmaTargetLib (library) enumerate_targets query_target login logout enumerateTargets queryTarget login logout UsingtheVmaTargetLibLibraryon page 32. viloggerDaemonandLog ManagementCommandsonpage 28. Methods For More Information vifptargetCommandforvifastpass Initializationonpage 24. vifpTargetManagementCommands onpage 24.

VMware, Inc.

23

vSphere Management Assistant Guide

vifptarget Command for vi-fastpass Initialization

Youcanrunthiscommandtoperformthefollowingtasks:

InitializevifastpassforthevSphereCLIandthevSphereSDKforPerl. Resetfastpasstarget Displaytheinitializedfastpasstarget

Usage
vifptarget --set | --clear | --display | --help | -s <server> -c -d -h

Description ThevifptargetcommandenablesseamlessauthenticationforremotevSphereCLIandvSphereSDKforPerl commands. Youcanestablishmultipleserversastargetservers,andthencallvifptargetoncetoinitializeallserversfor vifastpassauthentication.Youcanthenruncommandsagainstanytargetserverwithoutadditional authentication.Youcanusethe--serveroptiontospecifytheservertoruncommandson. ThevMApromptdisplaysthecurrentdefaultexecutionserver.Ifyouremovethatdefaultserver,theprompt doesnotchangeuntilyouhaveexplicitlychangedtoadifferentdefaultexecutionserver. WhilehostsremaintargetserversacrossvMAreboots,youmustrunvifptargetaftereachlogouttoenable vifastpassforvSphereCLIandvSphereSDKforPerlcommands. Options
Option set display clear help Description Initializesthefastpasstarget. Displaystheinitializedfastpasstarget. Resetsthefastpasstarget. Displayhelpforthecommand.

Example vifptarget --set | -s <server> Initializesthefastpasstarget. vifptarget --display | -d Displaystheinitializedfastpasstarget. vifptarget --clear | -c Resetsthefastpasstarget.

vifp Target Management Commands

Thevifpinterfaceallowsadministratorstoadd,list,andremovetargetserversandtomanagetheviadmin userspassword.

vifp addserver
AddsavCenterServerorESX/ESXisystemasavMAtargetserver.

24

VMware, Inc.

Chapter 3 vMA Interfaces

Usage
vifp addserver <server> [--authpolicy <fpauth | adauth>] [--protocol <http | https>] [--portnumber <portnum>] [--servicepath <servicepath>] [--username <username>] [--password <password>]

Description AfteraserverisaddedasavMAtarget,youmustrunvifptarget <server>beforeyourunvSphereCLI commandsorvSphereSDKforPerlscriptsagainstthatsystem.ThesystemremainsavMAtargetacrossvMA reboots,butrunningvifptargetagainisrequiredaftereachlogout.SeevifptargetCommandforvifastpass Initializationonpage 24. Afteryourunvifptarget,youcanrunvSphereCLIorvSphereSDKforPerlcommandsandscriptsandyou arenolongerpromptedforauthenticationinformation,asfollows:

IfyouaddavCenterServersystemasavMAtarget,youcanrunmostcommandsonallESX/ESXisystems thatthevCenterServersystemmanagesusingthevSphereCLI--vihostoption.ThevSphereCLI InstallationandReferenceGuideincludesatablethatshowswhichcommandscannottargetavCenter Serversystem. IfyouaddonlyoneESX/ESXihost,youcanruncommandswithoutspecifyingthetarget. IfyouaddmultipleESX/ESXihosts,specifythetargettoavoidconfusion.

SeeAddTargetServerstovMAonpage 16andRunningvSphereCLIfortheTargetsonpage 18. IMPORTANTIfyouchangeatargetserversname,youmustremoveit,andthenaddittovMAwiththenew name. Options

Option server authpolicy protocol portnumber servicepath username Description NameorIPaddressoftheESX/ESXiorvCenterServersystemtoaddasavMAtarget. SetstheauthenticationpolicytofastpassauthenticationortheActiveDirectory authentication. Connectionprotocol.HTTPSbydefault. Connectionportnumberofthetargetserver.Thedefaultis443. ServicepathURLofthetargetserver.Thedefaultis/sdk. Userwhoconnectstothetargetserver. IfthetargetserverpointstoanESX/ESXisystem,thedefaultisroot.Theusermusthave superuserprivilegesontheESX/ESXihost. IfthetargetserverpointstoavCenterServersystem,thereisnodefault.Youare promptedforausernameifyoudonotspecifyoneusingthisoption.Theusermusthave privilegestoconnecttothevCenterServersystem. password Passwordoftheuserspecifiedbyusername.

Example
vifp addserver my_vCenter

AddsavCenterServersystemasavMAtarget.Youarepromptedforausernameandpassword.Theuser musthaveloginprivilegesonthevCenterServersystem.
vifp addserver myESX42

AddsanESX/ESXisystemtovifastpass.Youarepromptedfortherootpasswordforthetargetsystem.

VMware, Inc.

25

vSphere Management Assistant Guide

vifp removeserver
RemovesaspecifiedvMAtargetthatwaspreviouslyaddedwithvifp addserver. IfthetargetisanESX/ESXisystem,youneedsuperuserprivilegesforremoval.IfthetargetisavCenterServer system,anyuserwithconnectionprivilegescanremovethetarget.Youonlyhavetospecifythe<server> option,withoutthepassword. Usage
vifp removeserver <server> [--protocol <http | https>] [--portnumber <portnum>] [--servicepath <servicepath>] [--username <username>] [--password <password>] [--force]

Description Runvifp removeserverforeachvMAtargetbeforeyoudeletethevMAinstance.Ifyoudonotrunvifp removeserver,theviuserandviadminusersremainonthetargetserver.Ifyoulateraddaserveronwhich viadminandviuseralreadyexist,tovMA,vMAusesreplacementusernamesforthoseaccounts.Runvifp removeservertoavoidhavingmultipleuserscreatedbyvMAoneachtargetserver. Options

Option server protocol portnumber servicepath username Description NameorIPaddressoftheESX/ESXiorvCenterServersystemtoremove. Connectionprotocol.HTTPSbydefault. Connectionportnumberofthetargetserver.Thedefaultis443. ServicepathURLofthetargetserver.Thedefaultis/sdk. Userwhoconnectstothetargetserver. ForESX/ESXisystems,thedefaultisrootandtheusermusthavesuperuserprivilegesonthe targetserver. password force Passwordoftheuserspecifiedby--username.Usethepasswordyouusedwhenaddingthe server. Forcesremovaloftheserver.

Examples
vifp removeserver <vCenter_Address>

RemovesavCenterServersystem.Youarenotpromptedforapassword.
vifp removeserver <esx_Address>

RemovesanESX/ESXisystem.

vifp rotatepassword
Specifiesviadminandviuserpasswordrotationparameters. IMPORTANTThiscommandappliesonlytoESX/ESXitargetservers.YoucannotrotatepasswordsforvCenter Serversystems. Usage
vifp rotatepassword [--now [--server <server>] | --never | --days <days>]
26 VMware, Inc.

Chapter 3 vMA Interfaces

Description vMAchangespasswordsforviadminandviuserbothinthelocalcredentialstoreandonthetargetserver. vMAattemptsthepasswordrotationatmidnight. IfoneormoreofthetargetserversisdownwhenvMAattemptspasswordrotation,vMArepeatstheattempt thenextdayatmidnight. Options

Option now server never days Description Immediatelyrotatesthepasswordforallserversoraspecifiedserver. ESX/ESXihostforwhichyouwanttorotatethepassword.Use--serveronlywith--now. Neverrotatethepasswordforanytargetserver. Rotatethepasswordforalltargetserversafterthespecifiednumberofdays.

Examples
vifp rotatepassword --now

ImmediatelyrotatespasswordsofallESX/ESXivMAtargetservers.
vifp rotatepassword --now --server <server_address>

Immediatelyrotatesthepasswordofaspecificserver.
vifp rotatepassword --days 7

SetsthepasswordrotationpolicytorotatethepasswordofallESX/ESXivMAtargetseverysevendays. Forexample,ifyouaddserver1on9/1,andserver2on9/2,andrunvifp rotatepassword --days 7,vMA rotatesthepasswordforserver1atmidnighton9/8andthepasswordforserver2atmidnighton9/9.vMA rotatestheserver1passwordagainon9/15andtheserver2passwordagainon9/16.Ifyouthenrunvifp rotatepassword --days 3,vMArotatestheserver1passwordon9/18andtheserver2passwordon9/19.
vifp rotatepassword

Displaysthecurrentpasswordrotationpolicy.

vifp listservers
Liststargetsystems. Usage
listservers [-l | --long]

Description Youcanusethiscommandtoverifythataddserversucceeded.Thiscommanddoesnotrequireadministrator privilegesonvMA. Example

vifp listservers --long

ListsallserversthatarevMAtargets,forexample:
server1.mycomp.com server2.mycomp.com server3.mycomp.com vc42.mycomp.com ESX ESX ESXi vCenter fpauth adauth fpauth adauth

VMware, Inc.

27

vSphere Management Assistant Guide

vifp reconfigure
Reconfigurestargetsystems.ThiscanbedonetochangeauthenticationpolicyortheconfiguredActive Directoryuser. Usage
reconfigure <server> [--authpolicy <fpauth | adauth>] [--protocol <http | https>] [--portnumber <portnum>] [--servicepath <servicepath>] [--username <username>] [--password <password>]

Description Youcanusethiscommandtoreconfiguretheauthenticationpolicyortheusers.Thiscommandcanberunonly byadministrators. Options

Option server authpolicy protocol portnumber servicepath username Description NameorIPaddressoftheESX/ESXiorvCenterServersystemtobereconfigured. IndicatesifthetargetusesthefastpassauthenticationortheActiveDirectory authentication. Connectionprotocol.HTTPSbydefault. Connectionportnumberofthetargetserver.Thedefaultis443. ServicepathURLofthetargetserver.Thedefaultis/sdk. Userwhoconnectstothetargetserver. IfthetargetserverpointstoanESX/ESXisystem,thedefaultisroot.Theusermusthave superuserprivilegesonthetargetserver. IfthetargetserverpointstoavCenterServersystem,thedefaultuseristheone configuredforthevCentersystemintheprevioussession.Forexample,ifvCenterwas addedorreconfiguredwiththeusernameadministratorintheprevioussession,the defaultuserforthevifp reconfigurecommandisadministrator. password Passwordoftheuserspecifiedbyusername.

Target Management Example Sequence

ThefollowingsequenceofcommandsaddsanESXhost,listsservers,runsvifptargettoenablevifastpass, runsavSphereCLIcommand,andremovestheESXhost.
vifp addserver server1.company.com root@server1.company.coms password: <password, not echoed to screen> vifp listservers server1.company.com ESX vifptarget --set server1.company.com vicfg-mpath --list cdrom vmhba0:1:0 (0MB has 1 paths and policy of fixed Local 0:7:1 vmhba0:1:0 On active preferred ..... vifp removeserver server1.company.com root@server1.company.coms password: <password, not echoed to screen>

vilogger Daemon and Log Management Commands

YoucanusetheviloggerinterfacetohavevMAcollectlogfilesfromthetargetESX/ESXiorvCenterServer hostsaccordingtothespecifiedlogpolicy.Youcanmanagethedaemonusingthedaemonmanagement interfaceandspecifythelogpolicyusingtheviloggerCLIs.

28

VMware, Inc.

Chapter 3 vMA Interfaces

Management Service Interface for vilogd

Thevilogddaemonperformsthelogcollection.ThedaemonstartseachtimevMAboots. Youcanstoporrestartthedaemonatanytimeifyouareloggedinasviadmin.Table 32liststhecommands thatyoucanusetoperformtheseactivities. Table 3-2. vilogd Daemon Commands
Command sudo sudo sudo /sbin/service /sbin/service /sbin/service vmware-vilogd vmware-vilogd vmware-vilogd status start stop restart Action Startsthevilogddaemon. Stopsthevilogddaemon. Restartsthevilogddaemon. Displaysthestatusofthevilogddaemon.

/sbin/service

vmware-vilogd

vilogger enable
EnableslogcollectionforthespecifiedvMAtarget. Usage
vilogger enable [--server <vMA_target>] [--logname <logname>] [--collectionperiod <period_in_seconds>] [--numrotation <rotation>] [--maxfilesize <size_in_MB>]

Description YoucanenableloggingforasingletargetorforallvMAtargets.You canalsoenableloggingselectivelyfor specificlogfiles.Bydefault,loggingisdisabledforatargetwhenyouaddittovMAandmustbeenabled explicitly. Bydefault,vilogdplacesthelogsin/var/log/vmware.Tospecifyadifferentloglocation,makechangesto the/etc/vmware/vMA/vMA.conffile.Whenyoustartvmware-vilogdthenexttime,itplacesthelogsinthe newlocationifviadminhasaccesstoit.Seeviloggerlistonpage 31foralistingofthelogscollectedonESX, ESXi,andvCenterServersystems. Options
Option server logname collectionperiod maxfilesize numrotation Description IPaddressornameofthevMAtargettoenablelogcollectionfor.EnablesloggingforallvMA targetsbydefault. Logthatyouwanttoenable.Enablesalllogsbydefault.Youcandisplaythelistofthelogsusing vilogger list. Logsarecollectedatregularintervals.Thisoptionspecifiestheinterval,inseconds.Specifya numberbetween10and3600.Thedefaultis10. Maximumsizeofthelogfilebeforerollover,inMB.Specifyanumberbetween1and1024.The defaultis5MB. Numberoflogfilestokeepbeforetheoldestfileisoverwritten.Specifyanumberbetween 1 and1024.Thedefaultis5.

Examples
vilogger enable

EnableslogcollectionforallvMAtargetsbyusingthedefaultvaluesforcollectionperiod,logrotation,and logsize.
vilogger enable --server myServer42

VMware, Inc.

29

vSphere Management Assistant Guide

EnableslogcollectionforthemyServer42vMAtargetusingdefaultvaluesforcollectionperiod,logrotation, andlogsize.
vilogger enable --server myServer42 --logname messages

Enableslogcollectionforthe/var/log/messageslogforthemyServer42ESX/ESXisystemusingthedefault valuesforcollectionperiod,logrotation,andlogsize.
vilogger enable --collectionperiod 60

EnableslogcollectionforallvMAtargetserversusingacollectionperiodof60seconds.
vilogger enable --numrotation 8

EnableslogcollectionforallvMAtargetserverswithlogrotationsetto8.
vilogger enable --maxfilesize 10

EnableslogcollectionforallvMAtargetserverswiththemaximumlogfilesizesetto10MB.

vilogger disable
DisableslogcollectionforavMAtarget. Usage
vilogger disable [--server <server>] [--logname <logname>] [--force]

Description DisablesalllogcollectionforaspecifiedvMAtargetorforallvMAtargets.Thecommandalsoallowsyouto disableloggingforspecificlogfiles. Whentheserverisunreachable,vilogger disablefails.Usevilogger disable --forcetodisable loggingforunreachablehosts. Options

Option server logname force Description NameorIPaddressofthevMAtargettodisablelogcollectionfor.DefaultisallvMAtargets. Logthatyouwanttodisable.Disablesalllogsbydefault.Youcandisplaythelistusingvilogger list. Forcesdisablingoflogging.WhenvMAcannotreachthetargetserver,vilogger disablefails.Use vilogger disable --forcetodisableloggingforthetargetserver.

Examples
vilogger disable --server myserver42 --logname messages

Disableslogcollectionforthe/var/log/messageslogforthemyserver42ESX host.
vilogger disable --server myserver42

Disablesalllogcollectionforthemyserver42ESXhost.
vilogger disable

Disablesalllogcollection.

30

VMware, Inc.

Chapter 3 vMA Interfaces

vilogger updatepolicy
Customizeslogcollectionparameters. Usage
vilogger updatepolicy [--server <server>] [--logname <logname>] [--collectionperiod <period_in_seconds>] [--numrotation <rotation>] [--maxfilesize <size_in_MB>]

Description Allowsyoutospecifythenumberofrotations,collectionperiod,andmaximumlogsizeforaspecificserver orforallservers.Thiscommandchangescollectionpoliciesonlyforlogsthatarealreadyenabled. Options

Option server logname collectionperiod maxfilesize numrotation Description NameorIPaddressofthevMAtargettosetcollectionparametersfor.DefaultisallvMAtargets. Logtochangecollectionparametersfor.Defaultisalllogsenabledforthespecifiedserveror servers.Youcandisplaythelistofavailablelogsusingvilogger list. Logsarecollectedatregularintervals.Thisoptionspecifiestheinterval,inseconds.Specifya numberbetween10and3600.Defaultis 10. Maximumsizeofthelogfilebeforerollover,inMB.Specifyanumberbetween1and1024. Defaultis5MB. Numberoflogfilestokeepbeforetheoldestfileisoverwritten.Specifyanumberbetween1and 1024.Defaultis5.

Examples
vilogger updatepolicy --server myserver42 --logname messages --collectionperiod 30

Updatesthelogcollectionperiodto30secondsforpreviouslyenabledlogs.
vilogger updatepolicy --server myserver42 --maxfilesize 7

UpdatesthemaximumlogfilesizeforallenabledlogsforthespecifiedESX/ESXisystem(myserver42)to7MB.

vilogger list
Listsavailablelogscollectedbythevilogddaemon. Usage
vilogger list [--server <server>] [--logname <logname>]

Description Liststhenamesofalllogsavailableforcollectionfromalltargetserversorfromthespecifiedtargetserver. The commandliststhelogfilesandwhetherlogcollectionisenabledordisabledforeachlog. Ifloggingisenabled,thelistcommandalsodisplaysthefollowinginformation:

LocationofthefilewherethecollectedlogsarestoredinvMA Collectionperiod Numberoflogrotationstomaintain Maximumsizethelogfilecangrowtobeforeitisrotated.

VMware, Inc.

31

vSphere Management Assistant Guide

ThefollowinglogsareavailableforVMwareESXsystems:

/var/log/messages(containsserviceconsoleanduserleveldaemonmessages,butnoVMkernel messages.) /var/log/vmkernel /var/log/vmksummary /var/log/vmkwarning hostd.log (hostagentlog) vpxa.log(vCenterServeragentlog;includedifthesystemismanagedbyavCenterServersystem)

ThefollowinglogsareincludedforVMwareESXisystems.

/var/log/messages (VMkernellogsandwarnings,hostdaemonmessages,andotheruserlevel daemonmessages).Themessageslogcontainsthesameinformationthatyoucanfindinthevmkernel, vmkwarnings,andhostdlogsonESXsystems.ThevmksummarylogdoesnotexistonESXisystem. hostd.log (hostagentlog) vpxa.log(vCenterServeragentlog;includedifthesystemismanagedbyavCenterServersystem)

ForvCenterServersystems,viloggercollectsonlyvpxd.logfiles.IfavCenterServersystemisthevMAtarget, viloggerdoesnotautomaticallycollectthelogfilesoftheESX/ESXihoststhevCenterServersystemmanages. vMAdoesnotcollectlogfilesforvirtualmachines. Example

vilogger list

ListstheloggingstatusforallvMAtargetservers.

Using the VmaTargetLib Library

TheVmaTargetLib libraryallowsyoutoprogrammaticallyconnecttovMAtargetsbyusingPerlorJava. This sectionexplainshowtouseVmaTargetLib toconnecttoasingletargetormultipletargets. AgentscanlinkwithVmaTargetLib andusevifastpassfunctionality.Thelibraryimplementsthemethodsin VmaTargetLibReferenceonpage 32.SeetheVIFPLIB javalibraryforamoredetailedreferencetotheJava interface.Youcanfindsamplesin/opt/vmware/vma/samples. Thevifpliblibraryallowsyoutoenablevifastpassauthenticationandtoqueryorlistmultipletargetswith thefollowingcommands:

EnumerateTargetsRetrievesalistofallserversthatarevMAtargets. QueryTargetRetrievesconnectioninformationfortargetservers. LoginConnectstothetargetservers. LogoutLogsyououtofthetargetserver.

VmaTargetLib Reference
YoucanusethefollowingVmaTargetLibcommandsinPerlorJavaprograms.

Enumerating Targets
Usage Perl Java
enumerate_targets() enumerateTargets()

32

VMware, Inc.

Chapter 3 vMA Interfaces

Description ReturnsalistofalltargetvCenterServerorESX/ESXisystemsaddedtothevMAinstancebyusingvifp addserver. Options None Returns Returnsalistofalltargetservers.

Querying Targets
Usage Perl Java Description Allowsthecaller,forexample,anagent,toretrievelogincredentialsfromavMAtargetandtousethose credentialstoconnecttothevMAtarget. Options
Option servername Description OneoftheserversaddedtothisvMAinstanceusingvifp addserver.CanbeanESX/ESXi systemoravCenterServersystem. query_target (<servername>) queryTarget (string <servername>)

Returns ReturnsaspecificvMAtargetserver.

Programmatic Login
Usage Perl Java Description Allowsaprogramtologintoatargetserverprogrammatically. Options
Option service svcRef servername Language Java Java Java,Perl Description Javaserviceinstance. JavaserviceManagedObjectReference. OneoftheserversaddedtothisvMAinstanceusingvifp addserver. VmaTarget.login() VmaTarget.login()

Returns ReturnsavMAtargetsessionthattheagentcanusetoruncommandsonthehost.

VMware, Inc.

33

vSphere Management Assistant Guide

Programmatic Logout
Usage Perl Java Description Allowsaprogramtologoutofatargetserverprogrammatically. Options None
VmaTarget.logout() VmaTarget.logout()

34

VMware, Inc.

Appendix: Updating vMA with vma-update

vMAincludesthevma-updateutility,whichcandownloadsoftwareupdatesincludingsecurityfixesfrom VMwareandcomponentsincludedinvMA,suchastheEnterpriseLinuxandJRE.Nootherupdate mechanismsareavailableforvMA. Thisappendixincludesthefollowingtopics:

Introductiontovmaupdateonpage 35 Usevmaupdateonpage 35 UsevmaupdatewithUpdateDepotsonpage 37 vmaupdateTroubleshootingonpage 37

Introduction to vma-update
Youcanusevma-updatetoperformthefollowingtasks:

DownloadpatchesforvMA. UpgradevMA4.0tovMA4.1.

IMPORTANTYoucannotusevma-updatetoupgradeVIMA1.0tovMA4.1.Youalsocannotusevma-updateto
upgradeVMwareTools.YouneedtoupgradeVMwareToolsmanually.

VMwarehostsadepotofvMAupdatesonline.TheURLoftheupdatedepotisspecifiedinthe /etc/vmware/esxupdate/vmaupdate.conffile. VMwarenotifiescustomerswhenvMAupdatesbecomeavailable.Customerscanthenevaluatewhetherthey wantthecurrentsetofupdates,andcaninstallit.Laterupdatesincludechangesmadebyallpreviously releasedupdates. YoucanconnecttothedepotURLdirectlyorspecifyaproxyserverinthe /etc/vmware/esxupdate/vmaupdate.conffile.Ifnoproxyserverisspecified,vma-updaterequiresadirect connectiontotheInternet.

Use vma-update
Youcanusevma-updatetoscanforupdatesandtoinstallupdates. Ifyouwanttospecifyaproxyserver,editthe/etc/vmware/esxupdate/vmaupdate.conffilebeforeyouuse vma-update.Forexample:
# Proxy settings # Uncomment these options if a proxy is required to access the # URL specified in vma.depot #proxy = http://proxy.example.com #proxyport = 12345
VMware, Inc. 35

vSphere Management Assistant Guide

To get information on a patch bulletin 1 2 LogintovMAasviadmin. Runoneofthefollowingcommands:

sudo vma-update info

Thiscommandgetsinformationaboutthebulletinintheonlinedepot.
sudo vma-update info --bundle=<offline-bundlezip-url>

Here,<offline-bundlezip-url>specifiestheURLtotheZIPfileinthelocaldepot. Thiscommandgetsinformationaboutthebulletininthelocaldepot. 3 (Optional)Ifprompted,providetheviadminpassword. vMAlistsapplicablebulletinswithupdates. To scan for updates 1 2 LogintovMAasviadmin. Runthefollowingcommand:

sudo vma-update scan

Thiscommandscansthebulletinintheonlinedepot.
sudo vma-update scan --bundle=<offline-bundlezip-url>

Here,<offline-bundlezip-url>specifiestheURLtotheZIPfileinthelocaldepot. 3 (Optional)Ifprompted,providetheviadminpassword vMAlistsapplicablebulletinswithupdates. To update vMA 1 2 LogintovMAasviadmin. Runvma-updatetoinstallallupdatesorupdatetoaparticularversion,specifiedbybulletinID. Eachbulletinconsistsofoneormoreupdates.Laterbulletinsincludetheupdatesofpreviousbulletins.

Task ToupdatevMAtothecurrentversion. ToupdatevMAtoaspecifiedupdatelevel. Includes changesfromallprecedingupdates. Command sudo vma-update update sudo vma-update -b <bulletinID> update

Examples Thefollowingexamplesassumeadepotisavailable.
sudo vma-update scan

Listsapplicablebulletinswithupdates.
sudo vma-update -b 'vma 4.01' update

UpdatesvMAtopatchlevel4.01.
sudo vma-update update

Appliesallcurrentlyavailableupdates.

36

VMware, Inc.

Appendix: Updating vMA with vma-update

Use vma-update with Update Depots

TheESXPatchManagementGuideexplainshowyoucanuseesxupdatewithlocaldepots.Youcanuse vma-updatewithlocaldepotsaswell. To use vma-update with local depots 1 2 3 Downloadthedepottoalocalserver,asdescribedintheESX4PatchManagementGuide. Editthedepot = http://...lineinthe/etc/vmware/esxupdate/vmaupdate.conffile. Runtheupdate,asdescribedinUsevmaupdateonpage 35.

vma-update Troubleshooting
Table A1listsafewofthecommonlyencounteredissueswithvmaupdateutility. Table A-1. Troubleshooting vMA
Issue Ifyourunvma-update,andtheURLspecifiedinthe /etc/vmware/esxupdate/vmaupdate.conffileis wrong,thefollowingmessageappears: Encountered error MetadataDownloadError:...Failed to download metadata. vma-updateresultsinanerror. Seetheexitcodesanderrormessagesforesxupdateutility intheESX4PatchManagementGuide. Resolution ChecktheURLandsupplyonethatpointstovMAupdates.

VMware, Inc.

37

vSphere Management Assistant Guide

38

VMware, Inc.

Index

A
adding target servers 16 addserver command 24 authentication component 8 authentication prerequisites 12

M
managing logs 31 modifying scripts 19 multiple target servers 18

N
name change 17, 18 network configuration 13 network setup 13

C
CentOS 8 configuring vMA 16

D
deleting vMA 20 deploying vMA 13 disabling logging 30 DNS resolution 21

P
passwords ESX/ESXi hosts 12 vCenter Server systems 12 proc nodes 20

E
enabling logging 29 ESX/ESXi 3.5 Update 2 12 ESX/ESXi systems, vMA target 18 example sequence 28

R
Red Hat Enterprise Linux 8 removeservers command 26 removing target servers 19 RHEL 8 root user account 12 rotatepassword command 26 rotatepassword example 27

H
hardware prerequisites 12 host name 14

I
initialization 24 insecure passwords 14

S
scripts, modifying 19 shutting down vMA 20 SMI-S 8 SNMP 8 storage required for vMA 12 sudo 12

J
Java JRE 8

L
Linux 8 list logs 31 listservers command 27 local update depots 37 localhost 20 log management commands 28 logging component 9 disabling 30 enabling 29 list 31 setting policy 31

T
target servers commands 24 multiple 18 name change 17, 18 removing 19 single 16 technical support resources 6 troubleshooting vMA 21

U
update depots 37 updating vMA 35

VMware, Inc.

39

vSphere Management Assistant Guide

V
vCenter Server systems, vMA target 16 VI CLI vifpinit 24 vifs 19 without vi-fastpass 18 vi-admin insecure password 14 privileges 16 setting password 14 vi-fastpass initialization 24 overview 8 vifp addserver 24 vifp listservers 27 vifp removeserver 26 vifp rotatepassword 26 vifp target management 24 vifpinit command 24 vifplib 32 vifs command 19 vilogd interface 29 vilogger daemon 28 disable command 30

enable command 29 list command 31 updatepolicy command 31 vi-logger component 9 vima-update 35 introduction 35 local depots 37 troubleshooting 37 using 35 vi-user privileges 16 setup 16 vMA component overview 8 getting started 11 interface overview 23 samples 9 use cases 9 vMA targets ESX/ESXi systems 18 vCenter Server systems 16 VMware Tools 8 vSphere CLI 8 vSphere SDK for Perl 8

40

VMware, Inc.