Blog of Khlebalin Dmitriy

(Дорогу осилит идущий…)

Change your host’s network name and SSL certificate

Changing your host’s network name and SSL certificate

When you first install ESXi your host will be given a hostname of «localhost» and domain of «localdomain». You can change this at the console or with the VI client.

Using the Console
1) Press <F2> (Customize System)
2) Select Configure Management Network
3) Select DNS Configuration
4) Select the option «Use the following DNS server addresse and hostname»
5) In the hostname enter the hostname and domain for your host. Then press Enter.
6) Select Y (Yes) when prompted to save changes and restart the management network. The change will take place immediately.

Using the VI client
1) Go to Configuration tab and select DNS and Routing
2) Click on Properties to open the DNS and Routing Configuration screen
3) Enter the name and domain for your host and click OK.
4) Right click on the host and select Reboot.

1

 

 

 

 

Note: both these methods will update /etc/hosts on the ESXi host. Should you manually edit this file, it is important that you do not modify the line that consists of 127.0.0.1 localhost.localdomain loclahost.

 

Updating the SSL Certificate for your host

Should you change your host’s hostname or domain after an install, the SSL certificate for the host will still be issued to localhost.localdomain. You can either regenerate a self-signed certificate for your ESXi host or replace the certificate from one generated by a certificate authority.

Regenerate your host’s self-signed certificate
1) Access the console of ESXi. If you have not done that before, follow the first three steps on this page.
2) Run the command /sbin/create_certificates as shown in the image below. This will replace both the private key and SSL certificate for the host. These files are located in /etc/vmware/ssl/
3) Enter the command reboot to restart the host. The certificate for the host will now reflect the hostname and domain changes that you have made.

2

 

 

 

 

 

 

 

 

 

 

 Replace the host’s certificate with one generated by a certificate authority

The below steps used OpenSSL which can be downloaded from here and a Microsoft Windows 2003 Server Certificate Authority.

1) Download and install OpenSSL from the link provided. If you’ve using Linux, your host may already have the OpenSSL package. If you are using Windows, you may also need to download the Microsoft Visual C++ 2008 Redistributable Package.
2) Generate a new private key with the command openssl genrsa 1024 > rui.key.
3) Create a new certificate request by running the command openssl req -new -key rui.key > rui.csr. A wizard will run and prompt you for information for the certificate request.

3

 

 

 

 

 

 

 

 

4) Open the rui.csr file with a text editor and copy the contents. If using Windows, avoid using Notepad as it may insert extra characters into the copied text.
5) Open the certificate request page for your Windows 2003 CA server. This is typically http://<hostname>/certsrv.
6) Click on the «Request a Certificate» link followed by the «advanced certificated request» link on the Request a Certificate page.
7) Select the link «Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.»
8) On the certificate request page enter the text from the rui.csr file and change the Certificate Template to Web Server. Then click Submit.
4

 

 

 

 

 

 

 

 

 

9) On the certificate issued page, select the «Based 64 encoded» option and then download the certificate to your PC
10) Run the command on the certificate that you downloaded: openssl x509 -in certnew.cer -out esx.cer.
11) Copy the private key and certificate to your ESXi host with the following RCLI commands
     vifs.pl —server esx05.mishchenko.net —put rui.key /host/ssl_key
     vifs.pl —server esx05.mishchenko.net —put esx.cer /host/ssl_cert

12) Restart the ESXi and verify that the certificate has been installed correctly. If there is a problem with the certificate, you may not be able to login to the host with the VI client. If that’s the case, then run /sbin/create_certificates at the console and reboot the host.

Note: if you try to join your ESXi host to a vCenter server and get the error: «The SSL Certificate of the remote host could not be validated» you’ll want to ensure that the root CA that issued the certificate is trusted by the vCenter host at the «Computer account» level and not just for «My user account».

02.06.2009 Posted by | vmware & hyper-v Infrastructure | Комментарии к записи Change your host’s network name and SSL certificate отключены

Enable SSH Access to ESXi

ESXi 40 does ship with the ability to run SSH, but this is disabled by default (and is not supported). If you just need to access the console of ESXi, then you only need to perform steps 1 — 3.

1) At the console of the ESXi host, press ALT-F1 to access the console window.
2) Enter unsupported in the console and then press Enter. You will not see the text you type in.
3) If you typed in unsupported correctly, you will see the Tech Support Mode warning and a password prompt. Enter the password for the root login.
4) You should then see the prompt of ~ #. Edit the file inetd.conf (enter the command vi /etc/inetd.conf).
5) Find the lines that begins with #ssh and remove the #. Then save the file. If you’re new to using vi, then move the cursor down to #ssh line and then press the Insert key. Move the cursor over one space and then hit backspace to delete the #. Then press ESC and type in :wq to save the file and exit vi. If you make a mistake, you can press the ESC key and then type it :q! to quit vi without saving the file. Note: there are two lines for SSH with ESXi 4.0 now — one for regular IP and the other for IPv6. You should
6) Once you’ve closed the vi editor, you can either restart the host or restart the inetd process. To restart inetd run ps | grep inetd to determine the process ID for the inetd process. The output of the command will be something like 1299 1299 busybox      inetd, and the process ID is 1299. Then run kill -HUP <process_id> (kill -HUP 1299 in this example) and you’ll then be able to access the host via SSH.

Tip — with some applications like WinSCP, the default encryption cipher used is AES. If you change that to Blowfish you will likely see significantly faster transfers.

Changing the port for SSH

To change the port for SSH, edit the file /etc/services and change the SSH port listed in the file. Save the file and repeat step 6 above.

Enable Telnet

The steps are the same as with SSH, but you’ll remove the # from the 2 telnet entries in /etc/inetd.conf. Enabling telnet is not recommended if security is a concern.

You can also download an oem.tgz file which will enable SSH (and FTP). Copy the file to a datastore with the VI client and then to bootbank with the command cp /vmfs/volumes/<datastore>/oem.tgz /bootbank/oem.tgz and then reboot.

02.06.2009 Posted by | vmware & hyper-v Infrastructure | Комментарии к записи Enable SSH Access to ESXi отключены

Install ESXi 4.0 from a USB flash drive

If you have a host that doesn’t have a CD-ROM or want to modify oem.tgz, you may find it easier to extract the ISO image to a USB flash drive and then run your install from it. The below method will allow you to create a USB flash drive which you can then use to install ESXi to a local drive on your host. If you wish to boot from a USB flash drive, see the process here.

1) Download and extract the latest version of Syslinux. For this process I used version 3.72.
2) Insert the USB flash drive that you plan to use. It will require about 300 MB free space for the ESXi install files and should be formatted as FAT32. If you’re using Windows make a note of the drive letter that is assigned to the drive. With Linux you can run fdisk -l to determine the device node (/dev/sdX).
3) For Windows run the command ..\win32\syslinux.exe <drive letter> and for Linux run ../linux/syslinux /dev/sdX. This command will alter the boot partition on the device and copy over the file ldlinux.sys to the root directory.
4) Extract the contents of the ESXi install CD to the USB flash drive. If you plan to modify oem.tgz you can copy over the file at this time as well.
5) On the USB flash drive rename the file isolinux.cfg to SYSlinux.cfg.

The USB flash drive will now be ready to be used in a host to install ESXi. If you have problems booting the flash drive, you might want to try one of these options of the syslinux command in step 3.
     -s — this option causes Syslinux to use simpler code which boots easier on some older BIOSes.
     -f — this option will force the install
     -m — (Windows only) — this will install a bootable MBR sector at the beginning of the drive
     -a — this marks the partions as active (bootable)

02.06.2009 Posted by | vmware & hyper-v Infrastructure | Комментарии к записи Install ESXi 4.0 from a USB flash drive отключены