vCloud Director and VMware Horizon Intergration

/

Requirements for SSO in vCloud Director

The SAML process and parties using them have formal roles and responsibilities:

  • Service Provider – An entity that receives the SAML Message from an Idenity Provider (vCloud Director )
  • Identity Provider – An entity that authenticates an user (Horizon)

The Identity provider must provide these fields in the response (case sensitive):

  • UserName
  • EmailAddress
  • FullName
  • Groups

While the only required field is UserName it is recommended that all fields be returned with proper information to allow for ease of management and administration of the users and their rights.

Configuring vCloud Director

In vCloud director you will first need to enable the use of a SAML Identity provider.

  1. Once logged in as a Organization Administrator or System Administrator go to the organization Administration page, click on Federation, then enable the ‘Use of SAML Identity Provider’

  2. The XML metadata file that you got from your SAML/SSO provider should be downloaded to the machine these actions are running from. Due to the use of special characters and copy/paste issues it is not recommended to paste in a value into the field. Instead use the upload function to upload the XML file in whole.

    In the case of VMware's Horizon Product the metadata can be found here: https:///SAAS/API/1.0/GET/metadata/idp.xml

  3. Now close the organization tab or log out and back into the UI to get the ‘Groups’ and Import from SAML options in the UI. After that is completed you can now import users into vCloud Director.

Since SAML users and groups are not searchable users will have to be added one per line for each role. Another option for granting access to the organization is through the use of groups.

At this point the configuration of vCloud Director is complete.

Exporting XML Metadata from vCloud Director

We now need to export a file much like what we imported from the SAML provider, so that the SAML provider will trust and validate requests coming from vCloud Director. This file and related certificates are controlled on the Federation page where we imported the SAML XML file. At the bottom of the page click on the ‘Regenerate’ button to create a new certificate with a validity of 1 year.

It will prompt you with a warning about changing the certificate. If you have already setup a SAML provider relationship, changing this certificate will break that relationship until the SAML provider replaces their current information with the new certificate. Once the certificate is generated you can download it via this weblink: https://./cloud/org//saml/metadata/alias/vcd Save this file as an XML file, then provide this to your SAML provider for the next section.

Configuring Horizon for vCloud Director SSO

First you will need to login to the administrator interface for Horizon and create a new Application, then follow these configuration items for that application.

  1. Configure the Login Redirection URL to be the organization URL in vCloud Director. This is required for vCloud Director to work properly, since the authentication sequence must start with vCloud Director and not Horizon.

  2. Check the ‘Include the Destination in the response’

  3. Check the Sign the entire response.
  4. Check the ‘Sign the assertion’
  5. Remove the ‘Include Cert’ checkbox
  6. Select the configure via Meta-data XML option. Then upload the certificate (copy/paste) the certificate in to the text box given.
  7. Click on ‘Populate Attribute Mapping’
  8. Configure the Attribute Mapping to match your deployment of Hoizon.

Enabling SAML Providers in vCloud 5.1

/

As a system or organization administrator head to the 'Administration' page, and then the federation tab. Paste or upload the SAML configuration XML. Ensure the certificate at the bottom of the page is recent, if not click re-generate certificate. It will produce a certificate for 1 year.

After the certificate is re-newed enter this URL in to the web browser: cloud/org/[orgName]/saml/metadata/alias/vcd ; save the XML file on that page. This is the file you will need to provide the SAML or 3rd party authentication service with in order to authenticate you.

Now you have SSO or SAML or 3rd authentication, enabled on your organization. Once configured/enabled the Org login page will now use the SAML provider, meaning any local users will be locked out.

vCloud Network Security 5.1.2a Release

/

Heads up... VMware released vCloud Network Security 5.1.2a this morning, it is a MUST upgrade if you are on 5.1.2. Fixes a pretty big show stopper bug where a vShield Manager can stop responding to requests without warning/error and the only fix is to bounce the entire vShield Manager.

Release notes here.

Doumentation here.

vCloud Network Security Product page here.

New Year... Brings Changes

/

With the New Year brings some new changes; I am transferring inside of VMware to a new group that is focusing on Cloud Consumption.

Cloud Consumption... WTH is that?

For the past, well as long as I have been in IT, I have been doing 'Ping, Power and Pipe'. With IaaS it is in my opinion it has been done, most any experienced IT person could stand up IaaS.

In my new role I will be focusing on methods to consume the cloud offerings. For example, how does one define a service (in the ITIL sense) from this 'Ping, Power, and Pipe'? Another example, what requirements does a consumer have? How can the cloud offering satisfy those requirements?

More importantly... "Define the services that consumers will utilize, while driving the architecture of the physical"

Happy New Years! 2013 will most definitely be a challenging year.

Symform Security Analysis

/

This morning on twitter I was asked if Symform "Secure Online Backup" was as secure as SpiderOak (my favorite online storage/backup solution). Here is my analysis from reading Symform's publically facing documents.

How it works:

According to Symform's website, your data is processed at the folder level. Meaning that all files in a folder are encrypted together. This does give the benefit of being able to de-duplicate the files inside that folder, it is not clear if this is at the block or file level though. If done at the block level this would be analogous to compression, if done at the file level I would image not much savings in space since it is uncommon for duplicate files in the same folder.

These files are encrypted with AES256 (good job there), but what generates this key? Since there would be a separate key per folder/container it would be near impossible for the end user to manage these keys. That means the Symform Cloud Control is generating and managing these keys for you the end user. (This is confirmed by their own documentation)

After your files are encrypted (in 64MB folder chunks), they are then broken into 1MB chunks. Parity fragments are then generated out of those 1MB chunks, 32 parity fragments to be exact. Those parity chunks are then sent out to the Symform Global Cloud Storage Network, and distributed to 96 devices.

Analysis:

That seems fine right? Your data is spread among 96 random devices on the internet, encrypted and secure.

Well that is the problem, who controls the decryption/encryption keys? Symform does. Who controls where your data is stored on this 'Global Cloud Storage Network? Symform does.

From a stand point of Trust No One, Symform fails the test. A hacker can still get your AES keys, and the location of those blobs on the internet. A government agency can still subpoena for your data, and have access to the decrypted data.

While it looks like a neat technology, SpiderOak still wins in my opinion, since I control the encryption keys and where my data resides (Amazon S3 storage).

Host Isolation Response Settings

/

Over the past few weeks I have had some people ask what I would recommend for host isolation addresses and responses, when using vSphere x.x with high availability (HA) enabled.

First off as with most everything in computers 'It depends'.

Items to consider with host isolation response is what type of storage is being utilized? Is it considered an outage if the vSphere hosts can talk to each other but the virtual machines (VMs) cannot? How stable is my management network? Is datastore heart-beating setup correctly? The list can of things to consider can be quite long.

Here is what I generally recommend…

NAS Based Storage Options (iSCSI or NFS)

First, set one of the host isolation response addresses to the virtual IP (VIP) or the IP of the storage array. This will tell you if you can at least talk to the array; chances are that is you cannot talk to the array your machines have already failed.

That brings me to the isolation response, since the VMs should already be dead, remember the NAS array and host are no longer able to communicate, I recommend 'Power Off'. If you were to leave the response to 'Leave Powered On' you can run into a chance of corruption on the guest disks. Think about it, the disk goes away for 60 seconds, then comes back. Do you think that VM is going to be able to recover, what are the odds of it corrupting that vital disk? What about 'Shutdown Guest', well that has a chance of the same exact thing happening.

Power Off in this setting is the safest setting, not only will it allow for that VM to be brought up elsewhere, you run a less chance of corruption or VM failure.

Fiber based storage (SAN)

With fiber the network isolation address does not matter as much, reason being the storage is not relying on the network for communication.

General Host Isolation Techniques

If it is considered a down time for the VM network to fail but not the management network, is there a way we can mitigate this?

Of course, put a vmkernel port on the virtual machine network, enable it for HA traffic, then place an isolation address of that networks gateway in to the HA configuration.

vCNS App - Spoofguard Deployment

/

Spoofguard records the IP address of each vNIC secured by vShield App. Spoofguard can be configured in two different modes, automatic and manual.

In Automatic mode the first IP that is presented for each vNIC is recorded and allowed to communicate without authorization. If the IP of the vNIC changes, the machine will no longer be able to communicate on the network until the new IP is approved.

In manual mode all IPs must be approved prior to being allowed to communicate; even existing virtual machines will be blocked until approved.

When enabling Spoofguard in an environment where there are existing virtual machines, it is recommended to enable Spoofguard in ‘Automatic’ mode. Once the vNICs are learned and reviewed it is then acceptable to switch to Spoofguard to ‘Manual’ mode, which will restrict all new virtual machines from communicating until approved. When deploying vShield App to a greenfield environment Spoofguard can be enabled with ‘Manual’ mode. Once Spoofguard has flagged a VNIC for approval, it must be approved prior to traffic being allowed to transmit. This is true even if Spoofguard is later disabled; all VNICs that are in ‘Require Approval’ will require approval before they can transmit.

When utilizing vShield App in a vCloud Director environment Spoofguard should not be enabled. The reason for this is that when vCloud Director brings a virtual machine online for the first time the machine will boot up and broadcast an IP (either DHCP or a pre-defined IP). When the machine is fully booted the guest customization script takes effect and changes the IP to the one defined in vCloud Director. Spoofguard will learn the first IP and not allow the VM to communicate on the network until the new IP is approved. It is possible to use vCenter Orchastrator to automate this approval process; that discussion and how to is out of the scope of this document.

Spoofguard currently supports only one IP per VNIC, so one cannot specify a secondary or failover IP.

iOS 6 - Ad Tracking

/

You can disable (well limit) the ad tracking that is done in iOS 6. This setting turns off the ability for advertisers to use what is called the 'Advertising Identifier'. This replaces the devices UUID which is a non-anonymous way of tracking usage. The advertising identifier is 'anonymous' (though further research needs to be done).

Here is how to disable the ability for advertisers to track you at all (once they move from the old deprecated UUID model).

  1. Fire up your iOS device
  2. Under Settings
  3. Find General
  4. Click on About
  5. Scroll to the bottom and select 'Advertising'
  6. Set the 'Limit Ad Tracking' to 'On'

You are done. Now go forth, untracked from iOS ads (the Apple ones anyway).

vCNS Edge 5.1 VIX_E_DISK_FULL ERROR Fix

/

VMware this morning released a KB article and a fix for the Edge devices filling up on disk space. While it did not kill the edge or cause an outage, it did stop you from being able to make changes to the Edge's configuration.

The official fix will be released on this site: https://my.vmware.com/web/vmware/info/slug/securityproducts/vmwarevcloudnetworkingandsecurity/51

The upgrade/patch will require the standard vCloud Network Security (vShield) upgrade process where the Edge device will need to be replaced with the new code. (READ: Possible outage of network for a few moments while the Edge is swapped)

How do you know if you have this problem?

In vCloud Director, attempting a reconfig fails with this error:

VIXEDISK_FULL

In vCloud Director, when looking at Edge Gateways, you receive this error:

Edge VM backing the edge gateway is unreachable

Just remember, when this happens it is not causing an outage or a network failure. The edge is basically running 'headless' at that time, and will not accept any ruleset changes.

Time for a change... Well a new direction at least

/

I started working at VMware just under two years ago. In that time I have gone for a Cloud Practice, where we developed the services and solutions that are being implemented today. Which transitioned into a group developing bleeding edge documentation, processes, and ultimately 'making the marketing world a reality'.

Since then I have transitioned to a more security in the cloud role. For example, how can a workload in the cloud be secured and audited against, no matter where it is running?

Now for a new challenge, something fresh; most importantly... something NEW. Not only to me, but to almost everyone.

I was asked a few weeks ago to join a new business unit in VMware to join a new Global Center of Excellence on Network Virtualization Security. There I will be focusing on the current VMware vCloud Network Security Suite of products. Most interesting is merging the vCloud Network Security Suite with Nicira's NVP product.

While it is still cloud related, it is now more network (NaaS), security, and then cloud.

Let the mayhem being!

Network as a Service

/

What the heck is Network as a Service (NaaS)?

Wait I know... it is one of those catchy new jargons that the marketing people use.

Actually, they will; someday.

Right now though I am referring to the idea that what was done for compute, virtualization, can be done for networking. Think quickly of how networking is tied to the physical.

If you want to add a new server to your datacenter... You have to rack it, power it, and connect it to the physical network. Imagine that server is virtual... Now you just have to wire the network to the host, then connect the virtual machine to that physical network.

Take it a step further.

You create the server, then you connect it to the logical network.

Logical network? Yes.

A network that is defined by software, managed by software, and is agile like software.

Want to move that virtual machine to a new datacenter? Take your network and virtual machine with you.

This is the next big thing for datacenters, networking and virtualization. Sure over a decade ago servers started to get virtualized. Now what is one of the last things to hold a machine to the physical world? Networking.

While details, methods and the nitty-gritty is still being worked out... just think of the possibilities.

I am sure I will have more to say on this in the coming weeks and months.

What does it take to achieve a VCDX certification?

/

There have been lots of articles on the defense and the process… so I will not waste space on that. This is going to be focused on 'What is a VCDX?'

It means that you are an expert at designing and architecting VMware virtual environments; more specifically vSphere environments. Of course to achieve this level of certification you had to pass a VCP test, a VMware Certified Advanced Professional Datacenter Design (VCAP-DCD) and Datacenter Administrator (VCAP-DCA) test.

Does it mean you are a master at the technical portions of vSphere (Networking configuration, storage configuration, computer configuration)?

No.

There are VCDX's that are CCIE level network engineers, but that is not their only skill set. They know of SAN design, layout, configuration, as well of compute limitations.

  • For example they know that a physical server with 4,096TB of RAM, with 64 socket's is just not realistic or cost effective.
  • They also know that a RAID 5 probably should not be used for a write heavy workload, but if they use a RAID 5 LUN, they identify this possible issue.

Sure it seems easy to install and design a vSphere environment, but consider that vSphere is a technology and suite of products that touches nearly every aspect of a corporations IT.

vSphere requires networking, storage, servers, power, cooling, a workload. This means that you will need to understand enough of those areas, including other areas that you may touch, to properly design the solution.

  • It means that you are able to gather requirements from a customer for their use cases.
  • It means that you are able to consider the impacts of such requirements, product limitations, product features, and most importantly… The impact of decisions that you make.
  • It means that you are able to identify the risks in your design, then mitigate or reduce that risk to an acceptable level.
  • It means that you are able to consider dependancies to the elements of your design, the customers existing environment, and the customers existing operational procedures.

You also need to understand the operational aspects of a design.

  • How do I implement it?
  • How do I test it?
  • How can I update it?
  • How do I maintain it?
  • What do I do when something breaks?
  • What is likely to break?

It requires a different mind set.

It requires the mindset of an architect, a consultant, and a system administrator.

vCloud Network Security (formerly vShield)

/

Those of you that used the former product vShield that is OLD news, VMware's marketing team has renamed it to be VMware vCloud Network Security, which is really what it is. vShield EndPoint is now free with vSphere host licenses, Enterprise Plus is needed of course.

Here is a highlight of what is new in vCloud Network Security:

  • The Edge product finally supports more than two interfaces, and becomes a more flexible and usable product. It now features 10 interfaces, it can be a mix of internal and external interfaces.
  • Edge now has an SSL VPN built in to it, this is truly interesting with vCloud Deployments. Instead of needed an IPSec VPN client, and the underlying requirements (looking at you GRE), now the requirement is port 443.
  • The new UI... can't say enough about it. It is clearly a ground up re-design from the old design. Now it is more standard, easier to follow, and much easier to add/change/delete rules.
  • Throughput - Edge is now 'officially' supporting > 3Gb/s with 2,000 NAT and 2,000 Firewall rules. 'Unofficially' it tested much higher than that.
  • Load Balancer is actually getting smarter now, it is not just the round-robin as it was before, it now will do load balancing policies.

vCenter and vSphere 5.1

/

The latest versions of VMware's vCenter, vSphere, vCloud Director, and vShield are now at version 5.1. The first major, ground breaking change...

vRAM is GONE!

That is right, a year after making the very unpopular choice to limit the amount of 'vRAM' you could use per license, VMware has heard the screams of pain and completely tossed the idea. While it only really effected a handful of the thousands of customer of VMware, it was a complexity that caused more confusion than answers.

Now to the news...

vSphere 5.1 has once again rev'ed the virtual hardware version to version 9. Version 9 will give you the ability to run 64 cores on a single VM, this makes the 'Monster VM' even larger!

vCenter 5.1 supports 20,000 VMs powered on in the same vCenter, 25 linked vCenters, 1,000 hosts per datacenter, 128 storage vMotions concurrently.

VMware is also moving away from the thick C# client that was tied to Windows only machines, to a web-based client. This new vSphere Web Client was there in 5.0 but it was incomplete and lacked basic functions still. 5.1 is the first version of the vSphere Web Client that is actually a near replacement for the old thick client. If the vSphere Web Client is used you can actually get around 150 concurrent client connections to your vCenter server(s).

More to come as information comes out of VMWorld this week!

How I Get Things Done

/
Here are the programs and things that I need on a daily business to get my job done.


1. Instapaper - While reading blogs, security news and other information; I log the pages to instapaper.
2. Evernote - I have an AppleScript that takes items from Instapaper and places them into Evernote for later retrieval. I also use Evernote to keep wikis and other documents for easy search and access.
3. Skype - Great VoIP client and IM client, best of all it is secure where AIM, MSN and others are clear text.
4. iA Writer - One of the best writers that I have found for capturing thoughts, notes and blog posts. It is simple, slimmed down, and just works. It works with iCloud to keep all the docs in sync between my iDevices and Mac.
5. MindNode Pro - Before heading to iA Writer I mind map out my document in detail; mostly in order to get my thoughts in order.
6. OmniOutliner Pro - Once I have the mind map created I import it into OmniOutliner, where I can then edit the map, and add depth to the discussion points. From there I export it to a mark down file then into iA Writer for final editing.
7. MS Word - Once iA Writer has my document, I need to be able to put it a format that the tech writers can use. So to MS Word, for styling and final proof reading. 
8. OmniFocus - My GTD application, works great, I am able to use Apple Mail rules and formatting to put tasks in to OmniFocus remotely. OmniFocus also has great iDevice applications that allow for GTD on the go.
9. TextExpander - Working in a company that uses acronyms for everything, TextExpander allows me to type those acronyms and have them expanded for the final document.
10. SpiderOak - Securely keeps my machines in sync.

Other programs on my Mac that I use...

gfxCardStatus -  - Keeps tabs on my graphics card, for optimal battery life.
geektool - I have my RAM usage, network status and date on my desktop.
Adium - Best IM client for the Mac
Tweetbot - It may be in Alpha and crash sometimes, it is a blessing, compared to TweetDeck

 

VCDX 5

/

Barcelona is going to be the first VCDX5 defenses, meaning you can submit a vSphere design and only be questioned on vSphere 5.x features. Sure with the current program you can submit vSphere 5 designs, but you will only receive a VCDX4 certification. So the real question what changes with VCDX 5?

The short answer is nothing. Nothing changes from all the blog posts and information that is out there for VCDX 5.

VMworld Sessions

/

Consider voting for session 1314, 1315 and 1628 here. Here is a brief on what you will learn...

Session 1314

Will cover how vShield App can make use of a single Layer 3 network with multiple security zones in the same network with access control and auditing from server to server communications. It will also cover how vShield App will assist with passing audits and security tests.

Session 1315

Will cover how to recover from a site outage and how to restore services in a DR or BC scenario. It will also cover how to restore vShield Edge/App from corruption or failures as well.

Session 1628

Mark Achtemichuk and I will cover how to make sure that your vCloud installation is running at 110% and will show you how allocation models can effect performance for the better or worse! Are you ready to run a vTornado?

SpiderOak v. Sugar Sync

/

 

I recently moved from Sugar Sync with over 60GB stored to SpiderOak for cloud based storage of documents, pictures and other data. Before I explain why here is a quick overview on how they work differently (based on the documentation on their web sites).

SugarSync

Data is transmitted unencrypted to SugarSync through a encrypted  SSL/TLS connection to the SugarSync servers. The data is then encrypted and stored on the SugarSync servers for later retrieval. This means that if SugarSync is 'hacked' or subpoenaed by a law enforcement agency they can have access to all of your data.
While I do not store sensitive information outside of secure containers (think TruCrypt files), it still concerned me enough to find a new cloud storage provider.

SpiderOak

SpiderOak does things differently, they do not want to know what information you store or how to get to it. Data is encrypted on the local machine before it is sent over a SSL/TLS connection to the SpiderOak servers. The key is based off the password that is used to create the account. This means that SpiderOak does not know your password or the encryption key for your data. Which ultimately means that if they are subpoenaed by a law enforcement agency, the only data that they can hand over is a jumble of random data bits.
Is there a perfect solution of course not; given enough time and enough resources any encryption method will fail. SpiderOak utilizes AES256 for their encryption. Assuming 10 billion billion keys per second, it would take 3 x 10^51 years; longer than the data I store is usable (barely).
If you want to try SpiderOak here go here. First 2GB is free, after that for $75/yr you can get 75GB (use the promo code 'spring'), normally it is $100. Unlimited computers and devices, 100GB stored (compressed/de-duplicated) data.

 

vCenter Operations Manager 5 Guides

/

Here is a compliation of links for vCenter Operations Manager 5 or Vc Ops for short.

 

Official VMware Documentation

http://www.vmware.com/support/pubs/vcops-pubs.html

...especially the Advanced Getting Started guide

http://www.vmware.com/pdf/vcops-5-getting-started-guide.pdf

VMware Community Site

http://communities.vmware.com/community/vmtn/server/vcenter/vcops

 

VMware TV on YouTube - several videos:

VMware vCenter Operations 5.0 - Introduction Video

http://www.youtube.com/watch?v=Z-DJuTiqKag

VMware vCenter Operations Manager 5.0 - Install and Configure

http://www.youtube.com/watch?v=pwRdGDhI0lc&feature=relmfu

TheSaffaGeek.co.uk

http://thesaffageek.co.uk/tag/vcenter-operations-manager/

vExperienced.co.uk

http://www.vexperienced.co.uk/2012/04/10/vcenter-operations-v5-intro/

http://www.vexperienced.co.uk/2012/04/12/using-vcenter-operations-v5-crazy-cool/

http://www.vexperienced.co.uk/2012/04/16/using-vcenter-operations-v5-capacity-features-and-conclusions-33/

Iwan Rahabok technical deep-dive @ Community site (large PPT)

http://communities.vmware.com/docs/DOC-18592

virtual-red-dot.blogspot.co.uk (several posts)

http://virtual-red-dot.blogspot.co.uk/

VMware KB 2012021 - Working with Alert Notification Rules in vCenter Operations Manager

http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2012021

Tutorial: Building Custom Dashboards in vCOps

http://velemental.com/2012/04/12/tutorial-building-custom-dashboards-in-vcops/

Rightsizing VMs using vCenter CapacityIQ - Part 1

http://blogs.vmware.com/management/2010/06/rightsizing-vms-using-vcenter-capacityiq-part-1.html

Rightsizing VMs using vCenter CapacityIQ - Part 2

http://blogs.vmware.com/management/2010/06/rightsizing-vms-using-vcenter-capacityiq-part-2.html

Generating SSL Certificates for vCenter Operations Manager 5.0

http://www.bussink.ch/?p=458

vCOps sessions at VMworld ’11

http://www.vmworld.com/community/sessions