Author Archives: Jack

How to export a VM from Amazon EC2 to VMware On-Premise

2 Replies

Here are the instructions on how to communicate with Amazon's API to export a VM from Amazon EC2 to a VMware image that gets put into S3 storage.  From that point, you can simply download the VMware image and import it into your VMware environment.

0. Open up a command prompt

1. Setup your java path (you can use JRE or JDK):
set JAVA_HOME="C:\Program Files\Java\jre6"

2. Verify your version with this command (you should see the java version number):
%JAVA_HOME%\bin\java -version

3. Add the bin directory that contains the java executable to your path before other versions of java
set PATH=%java_home%\bin;"%Path%"

4. Verify you can see the java version by executing the following command:
java -version

5. Set the EC2_HOME path
SET EC2_HOME=c:\ec2-api-tools-1.6.5.4

6. Verify the ec2_home using
dir %EC2_HOME%

7. Update the path
set PATH="%PATH%";%EC2_HOME%\bin

8. Setup access key environment variables
set AWS_ACCESS_KEY=XXXXXXXXXXXXXXXXXX
set AWS_SECRET_KEY=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

9. Verify the tools setup -- if setup correctly, we should be able to view our available regions.
ec2-describe-regions

10. Execute the following command:
ec2-create-instance-export-task i-EC2INSTANCENAME -e VMware -f VMDK -c ova -b S3STORAGEBUCKET

Once you have executed the command above, you can use the following commands to track/manage the cloning process.

  • Use ec2-describe-export-tasks to monitor the export progress
  • Use ec2-cancel-export-task to cancel an export task prior to completion

 

Notes: You could easily take steps 1-8 to setup an automated script to connect to amazon's services.  If you would like more information on these steps, here was a great article I ran across explaining everything in detail.

http://docs.amazonwebservices.com/AWSEC2/latest/UserGuide/SettingUp_CommandLine.html

 

How do I create a symbolic folder in windows?

Leave a reply

1. Open up a command prompt (Start->cmd)
2. Navigate to the directory where you want your folder.
3. Execute the following command: mklink /D foldertoredirect C:\path\to\another\directory

That's all that is to it!

Note: This works for creating FTP directories that need to redirect to another.

Replacing SSL Certificates on View Connection Servers 5.1

Leave a reply

Here are the steps involved to change the SSL certificates from the default VMware Self-Signed certificate to one signed by either your internal CA or a public CA.  This tutorial works for both the View Connection Server or Security Server services.  An official KB article by VMware on this subject can be found here: http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2020913

In this particular guide, we cover generating an SSL certificate with an Internal CA.  If we wanted to sign our server with a public CA, we could use a tool like openSSL to generate a certificate request, send the request to a public CA.  Next, we would import a PFX12 file with the private and public key into the Local computer's Personal certificates and change set Friendly Name to vdm.

Opening the Certificates Management Console

  1. In the Connection Server, click Start, type mmc, and click OK.
  2. Click File > Add/Remove Snap-in.
  3. Select Certificates and click Add.
  4. Select Computer account and click Next.
  5. Select Local computer and click Finish > OK.

Requesting a new certificate

  1. Expand Certificates and click Personal.
  2. Under Object Type, right-click and select All Tasks > Request New Certificate.
  3. Read the information on certificate enrollment and click Next.
  4. Click Active Directory Enrollment Policy > Next.
  5. Select the template for certificate enrollment and click Details > Properties.
    1. Notes:
      1. Ensure you choose the Windows Server 2003 certificate template option. Do NOT choose Windows Server 2008.
        For information on creating a certificate template, see the Microsoft Technet article Creating Certificate Templates.
      2. If you notice that the service starts but you are unable to navigate to the SSL page, this is because the Windows Server template was set to Server 2008.
  6. Click the General tab.
  7. Under Friendly name, type vdm.
  8. Click the Private Key tab.
  9. Click the arrow next to Key options and select the Make private key exportable option.
  10. Click OK > Enroll.
  11. Click Finish.
  12. Restart the Connection Server service.Notes:
    • If you use any browser other than Internet Explorer to access the View Administration console, you must add an exception for the connection to be trusted.
    • It may take a few minutes for the certificate to be recognized as valid in the View Administration console.

All credit for this guide goes to VMware for this information. This post is merely for archival purposes and self-reflections on the subject.

Replacing SSL Certificates on View Connection Servers 5.0

2 Replies

This process does NOT work for VMWare View 5.1 only 5.0

Here are the steps involved to change the SSL certificates from the default VMware Self-Signed certificate to one signed by either your internal CA or a public CA.  This tutorial works for both the View Connection Server or Security Server services.

  1. Navigate to the following directory via command prompt (if running server 2008, make sure you run command prompt as an administrator):
    1. C:\Program Files\VMware\VMware View\Server\jre\bin
  2. Execute the following command to generate a new Java Keystore:
    1. keytool -genkeypair -keyalg "RSA" -keysize 2048 -keystore keys.jks -storepass secret
      1. Note: This will ask for your first and last name, type in your FQDN here (I.e. viewserver.mydomain.com); also hit RETURN to use the same password as your keystore password when you are done.
  3. Execute the following command to generate a CSR:
    1. keytool -certreq -file certificate.csr -keystore keys.jks -storepass secret
  4. Sign the certificate.csr file that was just generated with your certificate authority (GoDaddy, Verisign, Internal CA, etc.)
  5. Copy the signed .cer or .crt file that you just received from your CA to the same keytool directory
  6. Copy any root or intermediate public certificates to the same keytool direcotry
  7. Execute the following commands for each of your root and intermediate certificates
    1. Root CA Example
      1. keytool -importcert -keystore keys.jks -storepass secret -alias rootCA -file rootCA.cer
    2. Intermediate CA Example
      1. keytool -importcert -keystore keys.jks -storepass secret -alias intermediateCA -file intermediateCA.cer
  8. Execute the following command to import your public certificate for your certificate.csr file:
    1. keytool -importcert -keystore keys.jks -storepass secret -keyalg "RSA" -trustcacerts -file certificate.cer
  9. Next, we need to configure a View Connection Server Instance or Security Server to use the new certificate
    1. Move the keys.jks file that we just created (C:\Program Files\VMware\VMware View\Server\jre\bin\keys.jks) to the following directory:
      1. c:\Program Files\VMware\VMware View\Server\sslgateway\conf\keys.jks
    2. Next, we need to add the keyfile, keypass, and storetype properties to the locked.properties file
      1. If the locked.properties file does not already exist,go ahead and create a new file with notepad.
      2. Once the locked.properties file is open, ensure the following lines are in it:
        1. keyfile=keys.jks
        2. keypass=secret
        3. storetype=jks
  10. Restart the View Connection Server service or Security Server service for your changes to take effect.
  11. Once you have verified the new certificate works, delete the following files from C:\Program Files\VMware\VMware View\Server\jre\bin
    1. certificate.cer
    2. rootCA.cer
    3. intermediateCA.cer
    4. certficate.csr

 

Allowing Copy/Paste/Clipboard access between View Desktop and Local Machine

6 Replies
Want to allow users to copy/paste rich-text from their local machine to their View VM?  Here is how to do it.
  1. Go to your View Connection server and browse to the following directory:
    1. c:\Program Files\VMware\VMware View\Server\extras\GroupPolicyFiles\
  2. Copy the pcoip.adm template and paste it on your domain controller's desktop/whereever you modify group policies for the domain.
  3. Create a new policy on the OU that you want for your virtual desktops (view clients)
  4. Edit the policy
  5. Expand Computer Configuration->Policies
  6. Right click on Administrative Templates and click Add/Remove Templates
  7. Click the Add... button and browse to the pcoip.adm file
  8. Click the Close button
  9. Expand Computer Configuration->Policies->Administrative Templates->Classic Administrative Templates (ADM)->PCoIP Session Variables->Overridable Administrator Defaults
  10. Modify the following policies to enable clipboard access
    1. Configure clipboard redirection
      1. I.e set this option to Enabled and configure clipboard redirection for Enabled in both directions.
    2. Configure PCoIP virtual channels
      1. Set this option to enabled
  11. Restart the desktop to ensure policies take over

Notes:

  • Overridable Administrator Defaults allow administrators to change the values.
  • Non-Overridable Administrator Settings prevent Administrators from changing the settings as well.
  • It is only possible to copy/paste rich-text.  Files are not supported at this time.

Manually deleting linked clones or stale virtual desktop entries from VMware View Manager 3.x, 4.x and 5.x

Leave a reply

Here is the issue I was having when trying to remove a host from View:

Desktop Composer Fault: "Virtual Machine with Input Specification already exists"

 

VMware has a great write-up on the article here on how to remove a VM that cannot be removed through the View Adam panel:

http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1008658

How to replace SSL certificate on VMware Update Manager vCenter 5.1

Leave a reply

Here is how to replace the SSL certificates on VMware Update Manager running under vCenter 5.1.  I found the text from the following document, just reposting for future reference/ease of access: http://www.vmware.com/files/pdf/techpaper/vsp_51_vcserver_esxi_certificates.pdf

  1. Back up the existing Update Manager certificates.
  2. Copy the newly created certificate files (rui.crt, rui.key, and rui.pfx) to the Update Manager SSL directory on the system where Update Manager is installed.
    1. Typically, the directory is C:\Program Files\VMware\Infrastructure\Update Manager\SSL.
  3. Stop the VMware vSphere Update Manager service.
  4. Change to the Update Manager installation directory.
    1. Typically, the directory is C:\Program Files\VMware\Infrastructure\Update Manager\.
  5. Run the file VMwareUpdateManagerUtility.exe.
    1. Note, this might take a couple of seconds to startup, there was a delay for me.
  6. In the Options pane, click SSL Certificate.
  7. In the Configuration pane, select Followed and verified the steps and click Apply.
    1. You should receive the following text when it is done: "Successfully applied the configuration."
  8. After the operation completes, start the VMware vSphere Update Manager service.

Updating the View Composer SSL certificate

Leave a reply

To update the certificate for the View Composer server, complete the following steps:

  1. Login to the View Composer Server.
  2. Stop the VMware View Composer service
  3. Open up command prompt as an administrator
  4. Navigate to c:\Program Files (x86)\VMware\VMware view Composer
    1. Exclude the (x86) if on a 32-bit machine
  5. Execute the following command:
    1. sviconfig -operation=ReplaceCertificate -delete=false
      1. The -delete command will either delete the certificate from windows or leave it.  False leaves it, true deletes it.
  6. Start the VMware View Composer service

 

Additional information on the sviconfig tool can be found here: http://pubs.vmware.com/view-50/index.jsp?topic=/com.vmware.view.upgrade.doc/GUID-C22EAD48-88BA-4DE8-A70F-202A954DF047.html

Original support article can be found here: http://pubs.vmware.com/view-51/index.jsp?topic=%2Fcom.vmware.view.installation.doc%2FGUID-5ED2A8AB-0D5F-495F-B2F7-D7C64C7A021E.html

 

Method Invocation Result: vpx.fault.SecurityConfigFault when replacing vmware ssl certificates

1 Reply

Symptom: When replacing my VMWare certificates with signed certificates, I was receiving the following error when running the Invoke Certificates command:

Method Invocation Result: vpx.fault.SecurityConfigFault

Solution: Unfortunately, the only way I could figure out how to fix this issue was to reboot the vCenter server and try again. The error went away upon reboot.

Preventing Drive Letters From Changing During SysPrep

Leave a reply

One thing that I found really annoying when doing a sysprep was my drive letters changing. In some environments, drive letters need to remain constant when the machine is being deployed/cloned. Unfortunately, I don't have too awful much experience with sysprep's new unattended.xml file and there doesn't seem to be any clear cut tutorials on how to do this, so I found a nice workaround.

To prevent the drive letters from chaning, use the following steps.
1. Open up the registry (Start->Run->regedit)
2. Navigate to HKEY_LOCAL_MACHINE\System\MountedDrives
3. Make a backup of this. File->Export (save to a place where you can access it soon).
4. Make sure you leave regedit open and run sysprep via command line. Use the /quit switch when running sysprep as we do not want to restart the machine yet.
5. Once sysprep finishes, go back to the registry editor.
6. Import your registry backup. File->Import
7. Restart/Shutdown the machine and deploy

Credit to this answer goes to jthiessn for finding this trick. Make sure to "up" his answer on the Microsoft forum for his fine work 🙂 http://social.technet.microsoft.com/forums/en-US/itprovistadeployment/thread/694daccd-a48d-4529-9aaa-555cda297038