Saturday, November 21, 2015

VMware Sample Exchange beta Site

Today I heard from vExpert program team about VMware Sample Exchange beta Site and spent some time on this site, as the site is its initial stage so there is not much script samples available yet however the idea seems very promising and useful.

On Sample Exchange Site one can find code and script samples from VMware as well as from members of the VMware community. Here we can discover, contribute, and request samples in PowerShell, Python, Ruby, Java, and many other languages. Sample Exchange is currently in Beta and features content from Alan Renouf (@alanrenouf), William Lam (@lamw), and other VMware experts. 


The beta is for a period of 60 days and in this period only vExperts can contribute/request for sample code/scripts and Non-vExperts can only browse and download.

Useful URLs: 
That's it... :)


Tuesday, November 17, 2015

Server has a weak ephemeral Diffie-Hellman public key error in Chrome/Firefox

I believe anyone who is using vSphere Web client on version 5.1 would be aware about this error, we get this error when try to connect to web client or any other site having certain SSL Ciphers using latest versions of Chrome/Mozila (so far I didn't see this issue with ie),

Note:- This is a known issue affected the vSphere Web Client 5.1,  it is resolved in vSphere Web Client 5.1 Update 3e and later
This issue occurs due to changes to the web browser containing a fix to combat an unrelated vulnerability that consequently disables certain SSL Ciphers.

When I was looking for how to avoid this for web client or any other site giving this error, I came across the thread about the related issue on Google Chrome Help Forum and the summary is, so far Chrome itself doesn't have any option to disable related setting to allow the sites having relatively week security.

If a secure website gets the error ERR_SSL_WEAK_SERVER_EPHEMERAL_DH_KEY, it means the website is trying to set up a secure connection, but it is actually IN-secure because the SSL/TLS uses a Diffie-Hellman group size smaller than 1024-bit.
This is the problem in the Logjam vulnerability, which affects both browsers and servers:   https://weakdh.org 

In this case, the website/webserver needs to be fixed.  Google Chrome won't use insecure connections in order to protect your privacy.

In my case I am using self signed certificate instead of certificate authority signed certificate.

Resolution:- Google Chrome:- As I earlier said the there is no option available within Chrome to enable you to access less secure sites over https however as a way around we can use IE Tab Chrome Extension it will allows us to open vSphere web client within Chrome.

To use this extension, first go to Chrome Web Store and add IE Tab extension to chrome, now go to your url, you will again get the "Server has a weak ephemeral Diffie-Hellman public key error" Now all you have to do is click on the IE Tab icon which you will find in the right corner of the Chrome window (Highlighted in Blue),
And once you would click on IE Tab icon,

Though it's not an official fix, it still works and would allow you view the web pages without any issues.

In Mozilla Firefox we have an option to disable it by going to following url,
about:config
Here in this config page, you will find a list of boolean entries. Search for below two entries,
security.ssl3.dhe_rsa_aes_128_sha

security.ssl3.dhe_rsa_aes_256_sha 
By default, these are set to TRUE. But you have to set them to FALSE in order to allow the less secured pages.

Reference:  kb# 2125607, Senthil Kumar Murugesan's blog.

That's it... :)


Open VM console error: The VMRC console has disconnected...attempting to reconnect

This was second time when I came across this issue where I was not able to open the VM console, when tried to open VM console, end up with an error i.e, "The VMRC console has disconnected... attempting to reconnect"



And again it took me some time to figure out the issue so thought of writing a post about this issue.

This is nothing but just a local vSphere clients issue(might be an application like antivirus is blocking application functionality) and in order to fix it you just need to kill the vSphere client related services. Open Task manager and look for any vmware-vmrc.exe process(es), Select it, right click and now select Kill Process Tree.

Once you have killed all VMware vSphere client related process ((vmware-vmrc.exe/vmware-remotemks.exe/vpxclient.exe), Now open up the vSphere Client, console should now work.

A reboot of VMware vSphere client system will also fix the issue but that's not possible every time as one might have some other applications running on this host but if above doesn't work then you will have to give this a try or you may also upgrade/reinstall the vSphere Client.

Reference: kb# 20504702032016

That's it... :)


Sunday, November 8, 2015

ESXi installation types: Embedded/ Installable, how would you determine

As you know ESXi is the unified version of the VMware hypervisor however during installation on the basis of size of destination media you have, its installation can be categorized as one of these types:  
§  Embedded : Installed in the attached SD card or USB
§  Installable : installed on a local hard drive
There is one more type, that's,
§  PXE: used in the AutoDeploy environment

During the ESXi installation process you will never be asked whether you want to install in embedded or installable mode. It solely depends on the type and size of your target installation media:
·         If you install ESXi on a USB key drive or SD card then you will always end up with ESXi embedded.
·         If you install ESXi on a hard disk (or iSCSI/SAN/FCoE partition) that has a size of at least 5 GB then you will end up with ESXi installable.
·         If the installation target media (no matter what type) is smaller than 5 GB then you will end up with ESXi embedded.
Now you wonder, in case of PXE, how would you determine if its Installable or Embedded version? The destination media is not enough because you can install ESXi also over the vendor’s SD card used for the embedded versions. Here is the answer,

To determine the type of ESXi installation:
  1. Connect to the host via SSH.
  2. Run this command: # esxcfg-info -e
You see an output similar to:  boot type: visor-thin 
You can determine the ESXi type based on the output of this command.
For example:
ü  visor-thin indicates an installable deployment
ü  visor-usb indicates an embedded deployment
ü  visor-pxe indicates a PXE deployment

Note: For ESXi embedded it is a good practice and a recommendation by VMware to create a persistent scratch location to store log files otherwise you would lose them during host reboot.

Reference KB# 2014558Andreas Peetz's blog post

That's it... :)


Friday, November 6, 2015

How to upgrade firmware of a HP ProLiant G9 server (upgrading firmware from version 2.20 to 2.30)

As I posted earlier, we was facing embedded Flash/SD-Card related issues: Lost connectivity to the device mpx.vmhba32:C0:T0:L0 backing the boot file system error on vSphere client host summary page, these hosts are running on HP ProLiant G9 servers. As this was second time when we saw this error so instead of fixing it myself, contacted HP support to find out the root cause of the same. The response of hp support was as expected, 

Response from hp support:  That version 2.20 has been removed from our site due to it causing issues with server components, including the embedded flash cards. . The new iLO firmware 2.22 addresses/fixes issues with the embedded cards disconnecting.

In our further discussion they suggested us for firmware upgrade from 2.20 to 2.22 or to the latest available version 2.30.

There are many ways to upgrade firmware, few are as follows:
  • Upgrading firmware directly from iLO using firmware update bin file. 
First download the firmware version 2.30  or any other version from HP site.

Getting the firmware setup .bin file is little tricky.To find the .bin file, first extract the firmware setup zip, there you would find an executable file now again extract the executable file by using 7-Zip/WinRAR etc. By this way you will get the firmware upgrade .bin file.

Now connect to iLO, G9 servers having iLO version 4,

Go to Administration => Firmware => form here one can upgrade the firmware of a HP server by uploading the firmware upgrade .bin file.
iLO will reboot during the firmware upgrade and Server reboot is not required.
  • If your is running Esxi on it then you can even upgrade the firmware directly from DCUI or using SSH.
Note: If you would extract the downloaded firmware setup zip folder, you would get a Readme file, this file would have instructions to upgrade firmware from within esxi console.

or Follow these steps to upgrade HP server’s firmware from inside the Esxi console:

Put the intended host in maintenance mode however most of the case the reboot is not required but just in case. Now Open putty and connect to host using root credentials.

Copy the downloaded firmware zip (CPxxxxxx.zip) file to a temp or any directory and then browse to that directory.
  • Now from the same directory, unzip the Smart Component:
                unzip CPxxxxxx.zip
  •  To ensure CPxxxxxx.vmexe is executable, execute the commmand:
                 chmod +x CPxxxxxx.vmexe
  •  And then to finally upgrade the firmware run this command,
              ./CPxxxxxx.vmexe

Now follow the directions given by the Smart Component.
Once the firmware upgrade would complete, iLO will reboot and If instructed, reboot your system for the firmware update to take effect however it didn't ask us for reboot but anyways we rebooted the server.
  • If you want to upgrade the firmware as well as other server component, then use HP SPP (Service pack for ProLiant), using it you can upgrade individual server component/driver or everything.
What you need to do is, just download the latest/intended HP SPP ISO file from HP Support Site, Now open iLO remote connection and mount SPP ISO as virtual CD/DVD and reboot the server.
During server boot choose boot from CD/DVD.
Once the Server would boot up using the SPP ISO, you get two options to upgrade server components: Automatic and Interactive, chose one as per your convenience. 

I personally prefer Introspective mode, as using this mode I can upgrade individual components and if any upgrade failed one would get the info right there. 

That’s it... :)