vthistle.com

You are here: Home / Archives for vExpert

VxRail Hosts show TPM 2.0 device detected but the connection cannot be established.

By

Occasionally, I have to help our customers with installing/configuring and maintaining their DellEMC VxRail environments. I was recently assisting one of our customers with an upgrade from VxRail code 4.5.x to 4.7.x. After the upgrade was complete (12 hours later), we noticed that each host had an alert stating: “TPM 2.0 device detected but a connection could not be established” – Well, that’s a bummer!

After a long support call with DellEMC, one of their escalation engineers had seen this before and was able to resolve the issue. Short story, the BIOS needed to be configured to use SHA256 in order to support TPM.

Few tips that the engineer kept stressing:

  1. Ensure the vSAN cluster is healthy
  2. Ensure there is not an active re-sync operation in progress
  3. Ensure there are enough resources available for vMotions
  4. Ensure there was enough free space available for Fault Tolerance.

You can change the BIOS setting by completing the following steps:

  1. Put the host in Maintenance Mode in vCenter and using the “Ensure Accessibility” setting.
  2. Log into the BMC by hitting F2 for System Setup then System Security
  3. Ensure “TPM Security” is set to ON and “Intel(R) TXT” is ON
    1. If you can not turn this setting on, then you will need to enable secure boot in the bios first.
  4. Go into “TPM Advanced Settings” and Ensure “TPM PPI” settings are disabled, and “TPM2 Algorithm Selection” should be SHA56
  5. Save settings and let the host reboot with the new settings
  6. Clear alerts in vCenter for that hosts and wait 10-15 minutes
  7. Ensure is vSAN Health is healthy
  8. No Resync operations in progress
  9. Ensure there was enough free space available for Fault Tolerance.
  10. Proceed to the next host

Needless to say, this isn’t a quick process. Hope this helps anyone else seeing this and saves you a call to support.

#vExpert2019

By

Good Afternoon friends, it’s been a while since I have posted anything to this fine blog. I promise, I will post more in 2019 as I expect to dive into new products and technologies.

Now, back to why you are reading this post. I’m proud to announce that I made the cut to participate in the VMware vExpert program for 2019. #Strumbelievable! This will be the 4th year that I have been selected to be a part of this program.

The VMware vCommunity is an amazing group of passionate IT folks who are always willing to lend a helping hand and share knowledge.

It’s also great to see that my friend and co-worker @Mike Dent also made the cut!

Congrats to all of the other vExperts out there, I’m looking forward to another great year!

Horizon View 7.5 Instant Clone Issues

By

I was working with someone recently who upgraded their Horizon View environment to 7.5.1 recently who also updated their vCenter to 6.7 – mistake #1.(to get off of the old vCenter Web Client). The customer wasn’t in a position to upgrade their ESXi hosts to 6.7 due to some vendor compatibility issues that needed to be resolved via firmware issues. (mistake #2)

When pushing a new version of a Horizon Instant Clone, they were receiving the error: “Error during provisioning: Cloning of VM Win10-Prod has failed: Fault type is SERVER_FAULT_FATAL – Runtime error: No full links for internal VMs found”

Did I mention that VMware signed off on the version information via an SR?

What did we do to fix the issue? The customer had a small enough VDI environment that it was easy enough to delete the VDI Pools and vCenter and start over (100 clients, 2 Pools).

What would fix the issue: Upgrade your hosts to vSphere 6.7

Moral of the story: Ensure your customers understand the software lifecycle and walk them through the process of ensuring all applications that are dependent on each other are FULLY ready for an upgrade.

Don’t pull a homer.

VMware Horizon View & LetsEncrypt

By

As most tech people, I like to build, destroy, rebuild and repeat. It’s what we do, its how we learn to do things. One of my latest deep-dives has been into Horizon View 7.X. A few years ago, I went down this path as well, and I bought a cert so that I could go through the setup.

Enter LetsEncrypt – Let’s Encrypt is a free, automated, and open certificate authority (CA), run for the public’s benefit. They provide certificates with a lifetime of 90 days and renewing a certificate is done within a couple of minutes, which is perfect for testing and home labs.

I started researching how I could use the LetsEncrypt certs with Horizon View and I couldn’t find much. Before we dive into how we make this happen, I first want to start out by saying using LetsEncrypt with Windows isn’t the simplest thing to do, So I used a CentOS Linux box – Super Small footprint for a cert generator. I’m not a Linux expert, so using and getting to know CentOS was also a learning experience.

So, in this article, I will go through the steps to get the cert, as well as applying them to Horizon View.

Installing LetsEncrypt

As mentioned above, I am using a CentOS machine to obtain the certs.

  • Log into the CentOS machine as root
  • First, we have to install and enable the EPEL repository
    • sudo yum install epel-release
  • Now, we can install certbot – certbot is just an application that goes out and gets the certs
    • sudo yum install certbot

Now that we have Certbot configured, we can now move on to Request the Certificate

Request a Certificate

*Note: change the items in red to match your needs

  1. Run the following command on your Linux box.
    • certbot certonly –manual –email xxxx@gmail.com -d server.vthistle.net –rsa-key-size 2048
  2. Agree to the ToS
  3. Decide if you want to share your email with LetsEncrypt
  4. Answer the question about “Are you ok with your IP being logged” as the IP requesting the cert
  5. Create a page on a web sever with the challenge key to prove you are in ownership of the site

  6. When the request has been validated, you will see a “CONGRATULATIONS
  7. Browse to /etc/letsencrypt/live/site.domain.com/
    1. You will find the following files:
      • cert.pem —-> Server Certificate
      • chain.pem —> Root and Intermediate Certs
      • fullchaim.pem –> Server, intermediate and root chain
      • privkey.pem —> Private key for Server Certificate

Convert PEM to PFX with Private Key

  1. Copy the files listed above from your Linux box to a windows box and use OpenSSL
  2. Run: openssl.exe pkc12 -export -out view.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem
  3. You will then copy your “view.pfx” file that you can use on your Horizon View Server

Adding the new Cert to the Connection/Security Servers

  1. The process to replace the certs on the Connection Server and Security Servers are the same: open MMC.exe -> File -> Add/Remove Snap-in… -> Select Certificates -> Add:
  2. Change the “friendly name” of the default certificate to something other than vdm
  3. Go through the import wizard and ensure you check the box to “Mark this key as exportable
  4. Change the “Friendly Name” to vdm and restart the “VMware View Connection Server” service

Complete – Your View Connection Server is now using you 90 day LetsEncrypt certificate. 

VMware – vSphere Host Client

By

I recently rebuilt my home lab host to ESXi 6.5 and decided to try to exclusively utilize the vSphere Host Client that it was shipped with. I have to admit, I am very impressed with the ease of use and functionality of the client. I was able to configure everything I needed to without opening the C# client once!

What really impressed me was something I stumbled upon, and hadn’t read about prior. LOGS!!!  

To get to this, click on “Monitor”, then “logs”.

How many times have you had to log into a host, start the SSH service and then SSH into a host to view the vmkernel.log file while troubleshooting an issue with a host. (Unless you have VMware LogInsight).

Now you have the ability to view these logs directly from the HTML5 client. Let’s look at an example.

I am going to add an NFS datastore to my host. Click Refresh, and there it is.

Pretty slick new feature!