You are on page 1of 7

Using DMC to Manage VMWare ESXi Servers

Dell Technical White Paper

By Madhav Karri, Sean-Marc Castruita, Sankara Gara Dell Product Group - Enterprise

Revision History
Version 1.0 1.1 Date 02 June 2009 08 Sep 2009 Description First Version Consolidated information from two white papers and removed reference to using unsupported console. Some document formatting. Removed insecure mode section Author(s) Madhav Karri Sankara Gara

1.2

09 Sep 2009

Sankara Gara

THIS WHITE PAPER IS FOR INFORMATIONAL PURPOSES ONLY, AND MAY CONTAIN TYPOGRAPHICAL ERRORS AND TECHNICAL INACCURACIES. THE CONTENT IS PROVIDED AS IS, WITHOUT EXPRESS OR IMPLIED WARRANTIES OF ANY KIND. Dell, the DELL logo, PowerEdge, PowerVault, and Dell EqualLogic are trademarks of Dell, Inc. Other trademarks and trade names may be used in this document to refer to either the entities claiming the marks and names or their products. Dell disclaims proprietary interest in the marks and names of others. 2009 Dell Inc. All rights reserved. Reproduction in any manner whatsoever without the express written permission of Dell, Inc. is strictly forbidden. For more information, contact Dell.

CONTENTS
REVISION HISTORY ....................................................................................................................................................2 INTRODUCTION ....................................................................................................................................................4 ESXI CONFIGURATION......................................................................................................................................4 ENABLING CIM OEM PROVIDERS......................................................................................................................4 DMC CONFIGURATION ......................................................................................................................................5 SECURE DEPLOYMENT MODE - CONNECTING TO WSMAN OVER HTTPS............................................5 PROCEDURE TO IMPORT MULTIPLE SSL CERTIFICATES IN TO DMC CONNECTION PROFILE ...5 STEP 1: INSTALL REMOTE CLI TOOLS FROM VMWARE............................................................................6 STEP 2: CREATE THE MULTI-CERTIFICATE FILE ........................................................................................6 COMBINECERTS.BAT DOS BATCH FILE...........................................................................................................7 SAMPLE SERVERS IP LIST FILE..........................................................................................................................7

Introduction
There are several common causes for DMC connectivity and health information retrieval problems with ESXi 3.5 U4 servers, these include: 1. 2. 3. 4. 5. 6. CIM OEM Providers configuration is not enabled. Invalid credentials are used in the connection profile The WSMAN protocol is not enabled in the connection profile Incorrect port settings are used in the connection profile The wrong security mode is used in the connection profile An incorrect certificate file is used in the connection profile

To address these issues DMC needs to be configured to communicate with the ESXi servers using WSMAN and the ESXi servers need to be configured to use the correct security mode for your environment. The following sections will explain what needs to be modified on the ESXi servers as well as on the DMC console to properly manage the servers.

ESXi Configuration
EnablingCIMOEMProviders
In order to get the health information (reported in DMC Monitor) from the ESXi server, the CimOemProvidersEnabled configuration setting has to be enabled (set to value 1) and Management Agents restarted first time after the ESXi install. Here are the configuration steps:

1. Download and install the RCLI http://www.vmware.com/go/remotecli/): 2. Run the following VmWare RCLI command:

tools

from

the

VMware

website

at

vicfg-advcfg.pl --server <ip_address> --username <user_name> -password <password> --set 1 Misc.CimOemProvidersEnabled

3. In order for the changes to take effect, restart the Management Agents from the ESXi server Direct Console User Interface (DCUI) menu or reboot the server. Note: You can also set the CimOemProvidersEnabled property using VI Client (Configuration>Software->Advanced Settings->Misc->Enable OEM Providers)

DMC Configuration
SecureDeploymentModeConnectingtoWSMANoverHTTPS
The following configuration is needed on DMC to connect to WSMAN running in secure mode on ESXi servers: 1. A WSMAN credential set created using Credential Manager. Only one set of credentials is needed if all of the ESXi servers have the same username/password settings. 2. Connection Profile with the WSMAN protocol enabled and the following settings applied: a. The credential set created in step 1. b. The Secure mode checkbox is checked. c. The Secure port textbox has the port number defined for the HTTPS service on the ESXi server. By default, this value is 443. d. The SSL certificate file must point to the SSL certificate (self-signed) downloaded from the ESXi server. Please refer to the section Procedure to import multiple SSL Certificates in to DMC Connection Profile below. Note: The same Connection Profile can be used to discover multiple ESXi servers as long as the selfsigned certificates (installed by default) from multiple ESXi servers are combined into a single certificate that is imported into the Connection Profile and the credentials are the same across all the ESXi servers. If all the ESXi servers have certificates generated by the same CA, importing the certificate for the CA, instead of individual certificates, into DMC Connection Profile will be sufficient.

ProceduretoimportmultipleSSLCertificatesinto DMCConnectionProfile
Dell Management Console allows a user to import a SSL certificate when configuring WSMAN (in secure mode) as part of the Connection Profile.

When there is a need to discover multiple devices using WSMAN over https the user can import into DMC Connection Profile a single file that contains self-signed certificates (installed by default) from the different servers. The remainder of this document describes how a user can create this multi-certificate file using SSL certificates retrieved from multiple ESXi servers. This multi-certificate file can then be imported into the Connection Profile enabling the user to discover multiple ESXi servers using a single Connection Profile (credentials are assumed to be the same across all the ESXi servers). Note: This procedure is mainly for self-signed certificates (installed by default), although this is valid for CA signed certificates also. If all the ESXi servers have certificates generated by the same CA, importing

the certificate for the CA into DMC Connection Profile will be sufficient, instead of combining the certificates using this procedure.

Step1:InstallRemoteCLItoolsfromVMware
DownloadandInstallVMwareInfrastructureRemoteCLIonaWindowscomputer. 1. DownloadInfrastructureRemoteCLItoolsfromVMware website: http://www.vmware.com/download/vi/drivers_tools.html SearchforlinktoDownloadinsectionVMwareInfrastructureRemoteCLIonthepage. 2. Installthetoolsatthedefaultlocation(e.g.C:\ProgramFiles\VMware\VMwareVIRemoteCLI). Laterstepsassumethedefaultinstallpath.Ifyouchangetheinstallpath,pleasemakechanges accordinglyinthefollowingsteps. 3. RunfollowingcommandinaCommandwindow: Set path=%path%;C:\Program Files\VMware\VMware VI Remote CLI\Perl\bin

Step2:CreatetheMultiCertificatefile
Create the combinecerts.bat DOS batch file as described later in this document. combinecerts.bat should be run as shown below: combinecerts <userName> <password> <servers ip list file> <output certificate file> [create|append] userName: password: servers ip list file: output certificate file: create|append: user name with which to login to the ESXi server password for user ASCII file with one IP Address on each line (see sample file in document) name of file that will contain all the certificates create: causes the script to create a new output certificate file append: causes the script to append new certificates to the output certificate file The default is append: when this parameter is not specified.

Note: The same batch file can be used to import a single certificate from an ESXi server by specifying only one ip address in servers ip list file and with create option.

Combinecerts.batDOSBatchfile
Copy the following text into a file named combinecerts.bat.

STARTOFDOSBatchFile
@echo off rem Usage: combinecerts <user> <password> <servers ip list file> <output certificate file> [create|append] rem (assuming same user and apssword for all servers) rem option "create" causes the script to create a new <output certificate file>. rem option "append" causes the script to append new certificates to the <output certificate file>.

if "%5"=="create" (del /F /Q %4 2>NUL) for /f %%X in (%3) do ( echo. echo. echo Importing certificate from server: %%X vifs.pl --server %%X --username %1 --password /host/ssl_cert tmpcert.crt if not errorlevel 1 (type tmpcert.crt >> %4) del /F /Q tmpcert.crt 2>NUL ) echo.

%2

--get

ENDOFDOSBatchFile
SampleServersIPlistfile
The following is a copy of the servers ip list file:

STARTOFSAMPLEserversiplistfile 192.168.22.243 192.168.11.45 192.168.22.31 192.168.22.65 ENDOFSAMPLEserversiplistfile

You might also like