Monday, March 31, 2014

Part 10 - vCOps Custom UI - Configuring User Authentication & Permissions!

I would begin this post by thanking and welcoming BLUE MEDORA as a new sponsor for vXpress. Blue Medora has been doing some fantastic innovation around IT Infrastructure Management by extending the monitoring capabilities of leading monitoring solutions available in the market. They have done a ton of great work around vCOps by developing content packs which can help you unleash the full value of vCenter Operations Manager. I would encourage you to have a look at how they have changed the landscape of leading enterprise monitoring solutions by clicking on the image below.

"Blue Medora specializes in increasing the value of leading IT infrastructure management platforms. Blue Medora has developed a range of validated/certified integration products that extend the monitoring and management capabilities of IBM, Oracle, and VMware’s market-leading systems management platforms to the world's leading cloud, virtualization, ERP, CRM, enterprise directory, messaging software, and more."


In Part 9 of this this series, I explained the various user authentication options available in vCenter Operations Manager User Interfaces. In the last section of that post we discussed the options around authentication methodology used by Custom User Interface. Here is what I wrote in that article:-

"CUSTOM UI AUTHENTICATION METHOD - The authentication to this UI is a bit tricky and is not as simple as the vSphere UI. I think it was intelligent of VMware for not mapping this with a direct role based access control as Custom Information should only be shared to selective people irrespective of the rights they might have the vCenter Server. By default, only the admin account works in the Custom User Interface. In order to increase this scope, you have an option to integrate vCOps with your current active directory with LDAP integration. You can simply pull in a specific group or the entire organization into vCenter Operations Manager and give them pre-defined roles with pre-canned permissions or create a custom role with customized permissions. This makes things more flexible as this will allow you to share specific content with specific people. For e.g. If you create a Capacity Dashboard for a CxO you would want that you share the same exclusively with the CxOs in your organization and not with administrators. In such a case Custom UI LDAP integration helps as we have the option to share specific dashboards with specific users and also give them controlled rights on those dashboards."


In this post I will continue where I left and I will guide you with step by step instructions to integrate vCenter Operations Manager Custom User Interface with LDAP and then look at various roles & permissions available within the Custom User Interface. Let's have a look at the steps.

1- Login to the vCOps Custom UI with admin credentials.
username - admin
password - admin (default in case you have not changed)

2- Click on the Admin -> Security



3- Under the Manage Security section click on the icon highlighted in the screenshot below. This is the Import from LDAP option which allows you to do the LDAP integration with a directory service such as AD.



4- Click on Add in front of the LDAP Host.

5- Enter the required details as shown in the screenshot below. Click on Load LDAP Groups and click on OK. Do not forget to check the Auto Sync button.





























6- On the Next screen click on Lookup. Expand the group from where you need to add users into vCOps Custom UI. In my case, I have created 3 dummy users in my AD. I have assigned the pre-defined Groups to these users. I will discuss these predefined Groups in my next post and also help you create new custom Groups.

Click on OK after making the required selection.


























7- Once you click on OK you will notice that the users you selected have been imported and have been placed in the Groups which we assigned to them. (See screenshot).



That's it. You can now log out from the admin account and login as any of the added users from the Active Directory.

I will close this post now and will soon come back with the next part which would speak about the Access Rights in vCenter Operations Manager Custom User Interface!

Till then.. Stay tuned!!



***Share & Spread the Knowledge***




Friday, March 28, 2014

Two Big Results Today - Stepped into Fatherhood & Jumped into TOP 30 of TOP vBLOG 2014

Their are only a few dates which are close to my heart & 27th March 2014 has definitely taken the Top Spot in the list. 

It's 2 in the night and I have already changed 5 diapers in the past 3 hours. The Demand in terms of vCOps in way higher than the allocation ;-). I am glad that my wife appreciates me doing so, but in the corner of my heart I know that this effort is minuscule in front of the mammoth task of carrying a baby for close to an year and then giving birth. Well, I don't have the words to express the entire experience. But I am ECSTATIC to share that we were promoted from the role of Husband & Wife to PARENTS. 

That's the FIRST BIG RESULT, I think the biggest we could have ever think of. It's a healthy baby boy & both the mother and child are doing fine. 

Of-course in all this I had no chance to check the results of the TOP vBLOG 2014 on vsphere-land.com. I did get an opportunity to peek into the podcast and I am absolutely delightful as a number of people I voted for are in the Top 25. I was not expecting to be there in the Top 25 list as I need to BLOG my ASS out to come close to the vBlog-Mafia who dish out fantastic blog posts one after the another. Anyways it was a great result and thanks once again to VEEAM for sponsoring the event and Eric Siebert for doing what he has year after year.. I can see this effort coming close to carrying a delivering a baby ;-) but yeah my Wifey still wins hands down :-)

While I was getting ready to sleep (SLEEP LOL.. What's that after a KID), I thought I would sleep but yeah, God had some other plans... Some more diapers and a few more messages and phone calls... I saw a Whatsapp IM from my buddy Lior Kamrat about him securing the #84th rank in his first year of blogging at imallvirtual.com. He is my vCOps Hero and I learn a lot from him (Fantastic Guy).

In a few seconds I was mentioned in a tweet which looked like this:-



That's the SECOND BIG RESULT. Needless to say that I jumped onto Eric's website to check if that was not a typo by +abhilash hb. It was TRUE.. I actually jumped from the 151st spot last year to the 28th SPOT and landed in the TOP 30. It was the jump of 123 places.

A BIG THANK YOU TO ALL WHO VOTED FOR VXPRESS & OTHER BLOGGERS IN THE COMMUNITY. 


I started writing at 2 AM and now its 9 AM here. I guess by now you know why it took me 7 hours to write this post...

OOOPPS... Time for another diaper change!! See you around!!



Thursday, March 27, 2014

Part 9 - User Authentication in vCenter Operations Manager!

In the previous part of this series, we looked at the option of altering the data retention policies of vCenter Operations Manager. If you have been following this series, you would be knowing that we are taking a step by step approach towards deploying a robust vCOps infrastructure which can help you do Performance Management & Capacity Planning for your Virtual Infrastructure & the related components.

Once we have the vCOps deployed, it is essential that we start providing access to the target audience to use the goodness of all the derived data from vCOps Analytical Engine. In order to do so, we need to understand that how does the roles & permissions work on vCOps and what are the options available for different User Interfaces within vCOps.

Let us now see that how does vCOps authenticate users for each of its User Interface.

vSphere User-Interface

INTRODUCTION - By now you will know that vSphere UI is the default UI which is available with all the versions of vCOps, namely - Foundation, Standard, Advanced & Enterprise. In case of Foundation edition which come FREE with vSphere license you only get the option of Limited Performance Management. 



AUTHENTICATION METHOD - vSphere UI is mapped directly to the vCenter Server Permissions Structure. In other words, the rights of a user are completely replicated in the vSphere UI. If you have RBAC (Role Based Access Control) implemented in the vCenter Server, you will get the exact same rights in the vCOps vSphere UI. At this stage it is important to mention that even if you have rights on limited objects on vCenter, you will still see all the objects which vCOps is monitoring once you log into it. The rights will take effect as soon as you try to drill down on objects where you do not have any rights. In  other words you will not be allowed to drill down on objects where you do not have any rights. The default admin account has full privileges to all the resources in vCOps, hence it is recommended that we reset the default password for this account (password - admin) and keep it in a locker ;-)


Admin User-Interface

INTRODUCTION - Admin UI is another default UI which is available with all the version of vCOps. In Part 4 & Part 6 of this series I have provided step by step instructions on how to use the Custom UI.



AUTHENTICATION METHOD - The authentication on Admin UI is pretty straight forward. It accepts one and only one account, i.e. the admin account. You cannot login to this interface with any other ID. Needless to say that if you lose the password for this account, you would still have the option to login to the UI VM via root credentials and reset the admin user password as you would do in any Linus OS.



Custom User-Interface

INTRODUCTION - The Custom UI is available only with Advanced and Enterprise Edition of vCenter Operations Manager. This is where all the custom magic happens. Right from creating custom dashboards for vSphere infrastructure to things like, Super Metrics, Third Party adapter configuration (supported with enterprise only) etc. all happens in the Custom UI.




AUTHENTICATION METHOD - The authentication to this UI is a bit tricky and is not as simple as the vSphere UI. I think it was intelligent of VMware for not mapping this with a direct role based access control as Custom Information should only be shared to selective people irrespective of the rights they might have the vCenter Server. By default, only the admin account works in the Custom User Interface. In order to increase this scope, you have an option to integrate vCOps with your current active directory with LDAP integration. You can simply pull in a specific group or the entire organization into vCenter Operations Manager and give them pre-defined roles with pre-canned permissions or create a custom role with customized permissions. This makes things more flexible as this will allow you to share specific content with specific people. For e.g. If you create a Capacity Dashboard for a CxO you would want that you share the same exclusively with the CxOs in your organization and not with administrators. In such a case Custom UI LDAP integration helps as we have the option to share specific dashboards with specific users and also give them controlled rights on those dashboards.


I hope this post will help you understand the Authentication methods in a better way and plan them effectively for the users of vCenter Operations Manager in your organization. I will close this post now. In the next post, we will look at the LDAP integration of vCOps Custom User Interface along with the default roles and permissions available within vCenter Operations Manager.

Till then.. Stay tuned!!


***Share & Spread the Knowledge***




Wednesday, March 26, 2014

Part 8 - Setting up vCOps Data Retention Policy

In the last post we looked at setting up the advanced parameters for session timeout on Custom & vSphere User Interfaces. Let us look at another advanced setting which requires a tweak in most of the cases.

In this post of this series, I will post the steps you need to follow in order to change the Data Retention Period on vCenter Operations Manager FSDB. If you have read this series and are aware of the architecture of vCOps, you would know that the FSDB a.k.a the File System Database is a DB in the vCOps Analytics VM which is the home for all the raw data which is collected by the collectors. You can read about data collection process in a post I did back in June 2013.

By default vCOps retains this data for a period of 6 months (180 days). Based on this retention policy you size the vCOps vAPP as shown in my sizing post here. Their could be multiple use cases where you want to decrease or increase the data retention for the collected metrics in your environment. Some of them which I have experienced with the customer are:-

-> Compliance Requirement for Retaining Data for 1 Year. 
-> Resource Constraints on Storage, Network, CPU etc.
-> Multiple Collection Sources doing millions of metrics

I am sure the more customers I speak with, the longer would be that list, but Constraints and Compliance would be still on the top. Without further ado, let's have a look at the steps which you need to follow in order to change the Data Retention policy!


1- Login to the Analytics VM using root credential via a SSH client such as PUTTY. 

2- Browse to the following directory

/usr/lib/vmware-vcops/user/conf/analytics 

3- Locate the file advanced.properties

4- Edit the file using VI or Nano. (Note - If you are not comfortable with CLI use winscp to browse to this file and edit using notepad.)

5- Locate the following entry in this file 

#old date range for FSDB. Default is 180 days
oldDataCleanerDateRange=180

6- The value 180 denotes the 6 month of time for data retention. Change this value to a desired number.


Disclaimer - While doing this is supported, there are certain risks/impacts of this change. Would highly recommend that you go through this paragraph from VMware Documentation to understand the impact.

"vCenter Operations data retention should be configured according to the amount of resources and the cyclic needs for data patterns. The system analyzes and learns the normal behavior when allowed to use long histories of data. This allows the system to learn weekly, monthly, quarterly, and yearly patterns. For example, to learn the normal behavior for quarterly patterns, the system requires 120 days retention. Storage grows quickly with the number of resources configured in the system. The FSDB can become corrupted if the storage space is exhausted."


I will close this post here. In the next post we will look at various authentication methods via which users can login to vCenter Operations Manager.

Stay Tuned!!


Share & Spread the Knowledge!!



Tuesday, March 25, 2014

Part 7 - Changing/Disabling the vCOps User Interface Timeout Values!

Once you are done with the basic Admin UI configuration  as shown in the last article  you would want to move on to certain advanced settings which would require you to access the vCOps VMs using an SSH client such as Putty.

In this post we will look at changing or disabling the timeout values of the User Interfaces available within vCenter Operations Manager. vCenter Operations Manager has 2 major interfaces, one is called the vSphere UI and the other is called as Custom UI. I would highly recommend you go through all the parts of this series in case you need to know more about the architecture of vCenter Operations Manager. Let's get started. By default the session timeout for both vSphere UI and Custom UI is 30 Minutes. This is a small time duration especially if you want to setup the dashboards in a NOC environment.

Let's see how we can change this timeout or disable it completely.

1- Login to the UI VM via a ssh client such as putty. (If you get an error regarding Ciphers & encryption, you just need to use the latest version of putty).


























2- Login as root.












3- For vSphere UI you need to Edit the web.xml file located under the following directory 

/usr/lib/vmware-vcops/tomcat/webapps/vcops-vsphere/WEB-INF/

4- For Custom UI you need to Edit the web.xml file located under the following directory

/usr/lib/vmware-vcops/tomcat-enterprise/webapps/vcops-custom/WEB-INF/

(Note - If you are not comfortable with the CLI, you can use WinScp to browse to this directory and edit it in a notepad in a GUI interface)

5- Edit the web.xml file in both the locations and you need to find the <session-config> parameter under which you will see the <session-timeout> parameter. See the screenshot below.










6- By default the value is in minutes and is 30 out of the box. You can increase this in minutes as per your security & access policy. You can also disable this parameter by changing the timeout value to -1

7- You need to save the files after making the change. (I would recommend you re-open and confirm the change once.)

8 - Restart the services using the commands listed below for the changes to take effect. (Screenshot Below)

service vcopsweb restart
service vcopswebenterprise restart



That's it.. This will do the trick for you. I will close this post here. Stay tuned for the next post where I will talk about vCOps Data retention policy and configurations around the same.

Stay Tuned..




Share & Spread the Knowledge!!




Monday, March 24, 2014

Part 6 - Configuring vCenter Operations Manager Custom User Interface!

In the Part 5 of this series, we licensed the vCOps instance which we deployed. Now I will tell you about doing some basic configurations on the Admin User Interface of vCenter Operations Manager.
Let's begin by logging into the vCOps admin UI.

1- Open a web browser and login to vCOps Admin UI by pointing to the following url - https://<vcops UI VM IP>/admin.

2- Under the Registration TAB, you will have the option to do the following:-

- Check License Status

- Select the kind of metrics you want to collect Balanced or Full.(VMware Recommneds Balanced - Read the following VMware KB on this topic)

- You can do a Register, Un-register, Update or Find a Linked vCenter server.

- You can also register a VCM (VMware Configuration Manager) instance on this screen.



2- Click on the SMTP/SNMP tab to enable the SMTP and SNMP settings and configure the details as shown in the screenshot below. Enabling the SMTP settings are important if you want vCOps to send alerts and reports to desired recipients.




3- Click on the SSL tab and you can upload a certificate if you wish to.



4- Click on the Status tab. Here you can Start/Stop/Restart the vCOps Services. You can check the status of the vCOps service and also download a diagnostic bundle if you wish to do so or if VMware Support asks you to do so.



5- The Update Tab is important as it allows you to Add 3rd party adapter and also update the vCOps vAPP from one version to another. These upgrades are done using .pak files which can be browsed for and updated by a click of a button.




6- The last TAB here is the account tab which can be used to change the admin and root passwords if desired by the vCOps Admin.


With this I will finish this post. In the next article I will help you configure some advanced settings which will help you optimize your vCOps deployment. Stay tuned for more goodness on vCOps.


Share & Spread the Knowledge!!


Friday, March 21, 2014

Part 5 - Licensing vCenter Operations Manager!

In the last part of this series, I gave you instructions on how to do the first time registration of vCenter Operations Manager and integration of vCenter Server with vCOps. In this post we will have a look at the steps required to license the vCenter Operations Manager.

While I will give you steps on configuring the license in this post, I will leave you with the following links which will help you on how vCenter Operation Manager is licensed as a product suite.

vXpress: How to License vCenter Operations Manager (vCOPS) 5.6 !!





Here are the steps to License.

1- Login to vCOps Admin UI http://<admin ui IP>/admin/. By default you will be licensed for vCOps Foundation Edition. vCenter Operations Manager foundation edition comes free of cost and customers can use it if they just want to gauge the health (Workload, Anomalies & Faults) of the virtual infrastructure. 



2- Now Login to the vCenter Server which we registered with vCOps in the previous post. If you have multiple vCenter Servers in your environment, you can License the vCOps on any one of the vCenter Server. For redundancy you can do the same on atleast 2 vCenter Servers so that vCOps stays licensed in case their is a connectivity issue between one of the license carrying vCenter Server.

In the vCenter Server Click on Home -> Licensing -> Asset. You will notice the vCOps in an unlicensed mode here.



3- Right click on this and Manage vSphere Licenses.


4- Enter the license keys and click on Add License Keys and Click Next.



5- Select Show Unlicensed assets, click on Solution and then select the license which you added in the previous step to license vCOps. Click on Finish.


6- Login to the Custom UI again and now you will see that your instance of vCOps is licensed and ready to go :-)



With this I will close the article. In my next post I will take you through the basic configuration of vCenter Operations Manager on the Admin UI. Stay tuned!!


Share & Spread the Knowledge!!




Thursday, March 20, 2014

Part 4 - Configuring vCenter Operations Manager Post Deployment!

In my last post, I gave you step by step instructions on deploying the vCenter Operations Manager vAPP. Once the vAPP is powered on after deployment, you need to do the initial configuration on the vCOps Admin UI to have the vAPP integrated with your vCenter environment.

Without further ado let's start the configuration.

1- Click on the vCOps vAPP in the vCenter and click on the summary tab. Under summary tab click on the hyperlink highlighted below. This will re-direct you to the vCOps admin page. 

Alternatively, you can also open a web browser and give the IP of the UI VM with "/admin" and you will get on the admin page.



2- You can see the URL which I spoke about in the previous step here in this screenshot. Use the following credentials to Login to the Admin UI.

username - admin
password - admin



3- Provide the details of the vCenter where the vCOps vAPP has been deployed. This is just to keep a track of vCOps vAPP demographics and is an optional step. Verify the Analytics VM IP address and click on Next.



4- Click on Yes to accept the self generated certificate.



5- On the next screen you can reset the admin account and root account password. With vCOps 5.8 onward this password has to be a special password. for e.g. Dashboard@123

The default password for the root account is vmware

The root account here can be used to login to the UI VM or Analytics VM via ssh or console for troubleshooting, advanced customization etc.



6- Now comes the part where the vCenter which you need to monitor needs to be specified. We will pause here to discuss the Registration User and Collector User.

Registration User - If you plan to monitor ALL the resources of a vCenter Server then you can just use the registration user which has atleast Read Only rights on the root level of the vCenter. In such a situation collector user is not required.

Collector User - If you plan to monitor only a subset of your vCenter environment, then you should use the Collector user along with the Registration user. While the the Registration User is used for registering the vCenter Server, the Collector user will enable vCOps to only populate and monitor the Objects on which the collector user has atleast Read Only rights. Their is a VMware KB on this topic.

I will not enter the Collector User as I need to monitor everything and click on Next.



7- If you upgrade from VMware Capacity IQ to vCOps you will get an option to import the old data from your previous install. (This is a rare sight though).



8- On the Next screen , vCOps will automatically find all the Linked vCenter Servers if there are any. You would have the option to register the Linked VCs here. 

In case you have a non Linked VC which you want to register with your vCOps, you can finish this wizard and  register additional VCs on the Admin UI. On the other hand if you want to avoid a Linked VC from registration, you can leave it as it is and click on Finish.


It will take around 2 to 5 minutes for this registration to complete and you are done.



I will close this post now. Stay tuned for the next part where I will give you a tour of vCenter Operations Manager Admin User Interface. Stay tuned :-)



Share & Spread the Knowledge!!


Wednesday, March 19, 2014

Part 3 - Deploying vCenter Operations Manager vApp!

In the last part of this series, I gave you an overview of the pre-requisites for deploying vCenter Operations Manager. We also fulfilled one of the pre-requisite of creating an IP Pool. Now we will move one step ahead and deploy the vCOps vAPP in this post.

Let's see the step by step instructions on deploying vCenter Operations Manager.

1- On your vCenter Center Server Click on File - > Deploy New OVF Template.



2- Browse to the OVF template and click on Next.



3- Verify OVF template details and click on Next.




4- Click on the Accept button on the EULA screen and click on Next.



5- Give a name to the vCOps vAPP, select the appropriate location and click on Next. Remember it has to be in the datacenter where you have configured the IP Pool (See my previous post)




6- Deploy the configuration as per the Size appropriate to your environment & click on Next.



7- Select the appropriate cluster and click on Next.



8- Select the relevant resource pool and click on Next..




9- Select the datastore for deploying the vAPP and click on Next (Thick Provisioned recommended in case of VMFS).



10- Select the appropriate port group and click on Next. This is the same port group which you associated the IP pool with while creating the IP Pool.




11- Select the IP allocation policy as Fixed and click con Next.



12- Select the appropriate Timezone & assign the static IPs to UI and Analytics VM.



13 - Finally review the entire configuration, check the power on post deployment check-box and click on finish.



14- It will take around 10 minutes for this vAPP to deploy and another 5 minutes or so to power and be ready for use.




With this I will close this post. In my next post, I will share the details on how to do the first time configuration of vCenter Operations Manager.


Till then.. Stay tuned.


Share & Spread the Knowledge!!