Skip navigation
All Places > Product Forum > vCenter > Blog

vCenter

3 posts

This article can help you answer the following questions:

- Can I create a non-admin user for VMTurbo to access VirtualCenter with?

- What is the minimum set of permissions for VMTurbo to access VirtualCenter?

- How should I configure user access in VirtualCenter for VMTurbo?

- Can I create a read-only user for VMTurbo?

-What are the permissions required in VirtualCenter for VMTurbo?

 

The minimal access for VMTurbo is that of the 'read-only' role, plus 'Datastore.Browse' (for detection of wasted files).

Note that as this is a read-only role, automated or manual actions cannot be carried out from within the VMTurbo console.

Later in this article, we discuss the entire set of permissions required to allow full control via VMTurbo.

First, to configure this minimal, read-only access:

Create a 'clone' of the 'Read-only' role in the vSphere client user interface (and give this new role a name, such as 'VMTurbo Permissions'),

Right click on this new role, and select 'Edit Role...'

The following dialog box appears:

 

VCEditRoleDialog.png

 

Within this dialog box, select the 'Datastore' Group, and expand it.

You can then choose the 'Datastore Browse' Permission for this role.

A user (for example 'vmturbo' ) within VirtualCenter can now be assigned to this role as usual within VirtualCenter.

The user supplied to VMTurbo in the 'Admin->'Target Configuration' should also be set to the user configured to use this new Role in VirtualCenter (in our example, 'vmturbo').

Additionally, you may wish to add further permissions to the new role you created, to allow particular actions to be taken from within VMTurbo.

 

Note: Actions are not generated in the Community Edition, so you do not need to configure any other permissions.

 

The following table should help you to identify which permissions are minimally required for each 'activity' type within VMTurbo:

 

VMTurbo Activity TypeAdditional Permissions to 'Read Only' Role
MonitoringNone
Recommend ActionsNone - Only "Read Only' role permissions are required
Wasted Storage ReportingDatastore > Browse Datastore
Execute VM Move (vmotion)Resource > Migrate
Resource > Query Vmotion
Resource > Modify Resource Pool
Resource > Assign VM to Resource Pool
Execute VM Storage Move (svmotion)Datastore > Allocate Space
Datastore > Browse Datastore
Datastore > Configure Datastore
Datastore > Move Datastore
Datastore > Remove File
Datastore Cluster > Configure a Datastore Cluster*
Datastore > Update Virtual Machine Files
Resource > Assign VM to Resource Pool
Resource > Migrate
Resource > Relocate
Resource > Modify Resource Pool
Resource > Move Resource Pool
Resource > Query Vmotion
Virtual Machine > Configuration > Change Resource
Virtual Machine > Configuration > Swap File Placement
*Datastore Cluster permission only applies to vSphere 5.x+
Execute VM ResizeVirtual Machine > Configuration > Change CPU Count
Virtual Machine > Configuration > Change Resources
Virtual Machine > Configuration > Memory
Virtual Machine > Interaction > Reset
Virtual Machine > Interaction > Power Off
Virtual Machine > Interaction > Power On
Discover tags

Global > Global tags

In addition, you must open ports 10433 and 7433 on the target server

 

The Permissions Group (and, where applicable, subgroup) are indicated with a ">" character

For example, permission "Virtual Machine>Interaction>Reset" can be found by expanding the group "Virtual Machine" and the sub-group "Interaction" in the "Edit Role" dialog box shown earlier in this article.

 

 

Alternatively, you can also of course configure VMTurbo to use an 'administrator' user within VirtualCenter.

Summary

 

This article describes the procedure for managing/filtering recommendations which result from a benign condition created by VMWare vCloud Director.

 

Background

 

A default and expected behavior for vCloud Director is to create a dummy, nonexistent, network object called 'none' to manage VMs which are not configured to run on a particular network, or VMs which are not running at all.  Due to this behavior, VMTurbo detects that the VMs are misconfigured and alerts to the fact that the network configuration is invalid and out of compliance.  The recommendations will look similar to the following:

 

network-none-recommendation.jpg

 

These recommendations can be numerous and might become "noise" in the To-Do list making it difficult to focus on more legitimate recommendations which require actions to be taken.  To disable these recommendations the following procedure can be followed.

 

Procedure or Steps

 

Follow the below steps to disable the recommendations:

  1. Log into Operations Manager, and select the Policy tab.
  2. Click to expand the Action item on the Category pane, and select VM.
  3. In the Scope pane, expand the Virtual Machine By Network group, and locate and select the group named "VMs_none".
  4. In the Action Mode Settings window, check the Override box next to the Reconfigure attribute, and then change the Value to "disabled".
  5. Click "Apply Settings Change"

The following screenshot can be used as a reference for the above setting changes:

 

network-none-policy.jpg

Symptoms

 

When attempting to add or validate vCenter targets via the Admin, Target Configuration utility an error “Failed to validate <target address>: RemoteException” is returned, or, depending on the Operations Manager version, you may also see an error

"Security Exception:java.security.cert.CertificateException: Certificates does not conform to algorithm constraints"

 

remote_exception.JPG

Cause

 

One cause of this error may be due to the use of legacy MD2 encryption on the vCenter server side.  Java version 7 has disabled MD2 on the client side due to identified security risks.  To confirm if this is the issue being encountered follow the below steps:

  1. Try to Validate or Add the target via the Admin, Target Configuration page in the UI to confirm that the RemoteException error will appear.
  2. Log into the appliance via SSH or on the VM console using the ‘root’ account with default password ‘vmturbo’.
  3. Execute the following command:
     grep -i 'Validation failed due to Security' /var/log/tomcat/catalina.out
  4. If output similar to one of the following is returned, then proceed to the Resolution section for steps to resolve the issue:
    2013-09-03 07:14:49,995 ERROR [VIM] : <vCenter host or IP>: unable to find valid certification path to requested target

    2013-09-03 07:14:49,995 ERROR [VIM] : <vCenter host or IP>: Validation failed due to Security: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Certificates does not conform to algorithm constraints
  5. If no output is returned from the command issued in Step 2 then the issue may not be caused by the MD2 digest algorithm and you should open a support ticket with VMTurbo Support for further assistance.  This can be done by visiting support.vmturbo.com and clicking the link to ‘Submit a Request’.

Resolution

 

Method 1:  Upgrade vCenter Server certificate to RSA SHA1 (Preferred Method)

The recommended method to resolve this issue is to upgrade the encryption algorithm which vCenter uses from the legacy MD2/MD5 encryption to RSA SHA1.

Instructions to perform this change are provided in the following KB article from VMWare:

http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2013087

 

Method 2:  Enable legacy MD2 encryption handling in Java 7 within Operations Manager

NOTE:  The below procedure will reduce the default security level for Java 7.  Proceed with these steps only if you completely understand the risks associated with using legacy MD2 encryption in your environment.

The following steps will modify the Java security configuration on the Operations Manager appliance to re-enable MD2 encryption permitting Operations Manager to communicate with vCenter hosts that are utilizing the insecure MD2 digest algorithm:

  1. Log into the appliance via SSH or on the VM console using the ‘root’ user.
  2. Open the file /usr/lib64/jvm/java-1.7.0-openjdk-1.7.0/jre/lib/security/java.security using the vi text editor.
  3. Search for the following text within the file:
     jdk.certpath.disabledAlgorithms
  4. Comment out this line by adding a ‘#’ to the beginning of the line, so it looks like this:
     # jdk.certpath.disabledAlgorithms
  5. Save and close the file.
  6. Restart the tomcat web server by issuing the command ‘service tomcat restart’
  7. Wait approximately 5 minutes for the Web UI to come back up, and then log in and attempt to add the vCenter target again. 

More Information

  • This article applies to Operations Manager version 4.0 or later.
  • This article applies to VMTurbo customers managing VMWare vCenter targets with Operations Manager.  To-date VMTurbo is not aware of this issue occurring with the other supported hypervisors.
  • For more information regarding the update to Java 7 disabling support for MD2 encryption, refer to the following article:
    http://docs.oracle.com/javase/7/docs/technotes/guides/security/enhancements-7.html

Filter Blog

By date: By tag: