Category Archives: VMworld

VMworld Day 2 General Session

Alright, Day 2 General Session Time!  They hinted at a big announcement, so let’s see what they got for today!

  • Michael Dell and Pat Gelsinger start off with a “fireside chat” to answer submitted questions by attendees.
  • Acknowledged disappointing customer satisfaction for support.
  • Skyline from VMware for proactive support coming.
  • New AI and machine learning along with quantum computing are creating a new human-machine interactive atmosphere that isn’t just IT focused.  It also will involve C level executives to be successful.
  • Everyone needs to integrate machine learning and AI into their product.
  • The next 30 years are going to make the previous 30 years look boring.
  • Today in tech will be the slowest tech day for the rest of your life.
  • Reinforced VMware as an open ecosystem for competition, not VMware as some kind of subsidiary of DellEMC.  “If it’s good for VMware, it’s good for Dell.”  The ecosystem is growing, which I actually agree.
  • Pivotal – Cloud Foundry is used in over 50% of Fortune 500 companies.
  • Pivotal Container Services announced, which will include Kubernetes and NSX.
  • Google Cloud Services will be in all Kubernetes containers.
  • Demo of AppDefense looks good.  Checksums of app files, identification of normal behaviors, notifications, remediation behaviors.
  • Elastic DRS – add more hosts in AWS when running out of capacity.
  • Integration with AWS into vCenter, capacity will be reflected even down to vRealize Operations Manager.
  • Network Insight can identify good candidates for migrations into AWS.
  • vRealize Automation can then migrate the workload.
  • That’s A LOT of products from VMware to all this though, but cool nonetheless.
  • NSX Cloud to hacwe consistent security and consumption across multiple clubs.
  • Wavefront is SaaS is application monitoring and analysis.
  • Wrkspace ONE Intelligence takes that analysis “the last mile”.
  • VMware Pulse IoT Center is a family of IoT solutions.  This is more of a future product.

VMworld 2017 – Opening general session

VMworld 2017 in sunny and RIDICULOUSLY HOT Las Vegas has begun!

Seriously, it’s really hot out here, with temperature highs the next three days at 107F!  Thankfully, VMworld is an indoor affair.

Here’s a recap of the opening general session.

  • Science fiction is becoming science fact
  • The biggest change today is our expectations
  • We get bored with newer innovations faster
  • Many industries have not digitally transformed.  Retail is only 10% digital as an example.
  • VMware’s goal is still to give access to applications on any device, anywhere
  • Workspace ONE aimed to be consumer simple, but enterprise secure
  • Airwatch is now working closely with HP device-as-a-service offering
  • Capital One sees themselves “as a technology company that happens to provide financial services”
  • VMware wants to make the cloud easier and seamless
  • VMware Cloud Foundation 2.0 to be released
  • vSAN is now at 10,000 customers
  • DellEMC is releasing VXRACK.
  • Run any application in vSphere and move it to AWS, and manage it through VMware.
  • Medtronic changed philosophies from being a device company to being a services company.
  • Medtronic – “Going into the public cloud is… going into it for the long haul…  There will be good days and bad days.”  Very much worth it though for their goals.
  • NSX is what ESX was for VMware’s first 20 years for its next decade.
  • Sysco uses NSX for microsegmentation for even their most sensitive workloads.
  • Sysco’s CIO was able to build a web server in AWS using VMware’s management software in a virtual data center there in under 4 hours between other tasks.
  • Over $100,000,000,000 is spent on security.
  • The IT industry has failed on security.  It needs to be rebuilt from the ground up using technologies like NSX.
  • We must also go back to the basics with simple principles – least privilege, microsegmentation, encryption, multi factor authentication, and patching.
  • VMware helping with federal legislation to improve cyber security.
  • We need to ensure good, not chase the bad for better security.
  • VMware Appdefense – machine learning to detect when things deviate from good, and automate response.
  • IBM Watson will be used in a partnership with VMware Appdefense for analysis and action.
  • Good to see American Red Cross and discussions about the devastation of Hurricane Harvey to raise awareness.
  • CIO top spending priorities — Cloud, mobile, security

 

vSphere 6 – Certificate Management Intro

I like VMware and their core products like vCenter, ESXi, etc.  Personally, one thing I really admire is the general quality of these products, how reliable they are, how well they work, and how VMware works to address pain points of them to make them extremely usable.  They just work.

However, certificate management has been a big pain point of the core vSphere product line.  There’s just no way around it.  And certificates are important.  You want to ensure the systems you’re connecting to when you manage them are those systems.  For many customers I’ve worked with, because of the pain of certificate management within vSphere, the fact that some customers are too small and don’t have an on premise Certificate Authority, and to ensure the product continues to work, they often don’t replace the default self-signed certificates generated by vSphere.

That’s obviously less than ideal.  The good news is certificate management has been completely revamped in vSphere 6.  It’s far easier to replace certificates if you like, and you have some flexibility as to how you go about this.

Three Models of Certificate Management

Now, you have several choices for managing vSphere certificates. This post will outline them.  Later, I’ll show you how you can implement each model.  Much of this information comes from a VMworld session I attended called “Certificate Management for Mere Mortals.”  If you have access to the session video, I would highly encourage viewing it!

Before we get into the models, be aware that certificates can basically fall under one of two categories – certificates that facilitate client connections from users and admins, and certificates that allow different product components to interact.  Also, vCenter also has built in Certificate Authority functionality within it.  That’s a bit obvious since you already had self-signed certificates, but this functionality has been expanded.  For example, you can allow vCenter to act as a subordinate authority of your enterprise PKI, too!

Effectively, this means you have some questions up front you want to answer:

  1. Are you cool with vCenter acting as a certificate authority at all?  The biggest reason to use vCenter is it is easier to manage certificates this way, but your security guidelines may not allow it.
  2. Are you cool with vCenter being a root certificate authority should you be cool with it generating certificates?  If not, you could make it a subordinate CA.
  3. For each certificate, which certificate authority should generate them?  Maybe your security requirement that the internal PKI must be used is only for certificates viewable on client connections as an example.

From these questions, typically a few models emerge for certificate management.  You effectively have four models that emerge, which is a combination of your vCenter acting as a certificate authority or not, and which certificates it will generate.

Model 1: Let vCenter do it all!

This model is pretty straight forward.  vCenter will act as a certificate authority for your vSphere environment, and it will generate all the certificates for all the things!  This can be attractive for several reasons.

  1. It’s by far the easiest to implement.  It will generate all your certificates for you pretty much, and install them.
  2. It’ll definitely work.  No worries about generating the wrong certificate.
  3. If you don’t have an internal CA, you’re covered!  vCenter is now your PKI for vSphere.  Sweet!  You can even export vCenter’s root CA certificate, and import it into your clients using Active Directory Group Policy, or other technologies to get client machines to automatically trust these certificates!  Note that it is unsupported for vCenter to generate certificates for anything other than vSphere components.

Model 2: Let vCenter do it all as a subordinate CA to your enternal PKI

Very similar model to the above.  The only exception is instead of vCenter being the root CA, you make vCenter become a subordinate CA for your enterprise PKI.  This allows your vCenter server to more easily generate certificates that are trusted automatically by client machines.  Yet it also ensures that certificates are still easily generated and installed properly.

However, it is a bit more involved than the first model, since you must create a certificate request (CSR) in vCenter to submit to your enterprise PKI, and then install the issued certificate within vCenter manually.

Model 3: Make your enterprise PKI issue all the certificates

Arguably the most secure if your enteprise PKI is secured, this model is pretty self-explanatory.  You don’t make use of any of the certificate functionality within vCenter.  Instead, you must manually generate all certificate requests for all vCenter components, ESXi servers, etc., submit them to your enterprise PKI, and install all the resulting certificates for each yourself.

While this could be the most secure way to go about certificate management, it is by far the most laborious solution to implement, and it is the solution that is most likely to be problematic.  You have to ensure your PKI is configured to issue the correct certificate type and properties, you have to install the right certificates on the right components, etc.  It’s all pretty much on you to get everything right!

Model 4: Mix and match!  (SAY WHAT?!?!?)

When I first heard this being discussed in the session, my immediate reaction by my security inner conscious was, “This sounds like a REALLY bad idea!!!”

But as I listened, it actually makes quite a bit of sense when done properly.  You can mix and match which certificates are and are not generated by the PKI components within vCenter.  However, the model that makes sense if you go hybrid (a hybrid solution doesn’t make sense for everyone!) would be to allow vCenter to manage the certificate generation for all certificates that facilitate vSphere component communication, but use either Model 1, 2, or 3 for all other certificates that facilitate client connections.  Should this meet your security requirement, it meets the best of both worlds – certificates issued by your internal PKI that your clients automatically trust and thereby (potentially) more secure, but ease of management and better reliability for all the certificates that clients don’t see for internal vSphere components.

Which should you go with?

I hate using the universal consultant answer, but I have to.  It depends.  If you don’t have an internal PKI, go with Model 1.

If you have an internal PKI just because you had to for something else, and you want easy trusting of vSphere connections by your clients, go with model 1 and import vCenter’s root CA into your client machines, OR go with Model 2.  Which one in this case?  If you don’t consider yourself really good at PKI management, or if you don’t need many machines to be able to connect to vSphere components, probably Model 1.  The more clients that need to connect, the more it might lean you towards Model 2.

Do you have security requirements that prevent you from using vCenter’s PKI capabilities altogether?  You have no choice, go with Model 3.

I would generally try though for people who think they need to go with Model 3 to look at Model 4’s hybrid approach.  Unless you absolutely have to go with Model 3, go Model 4.

Hope this helps!

VMworld Day 1 – Recap

So much for live blogging VMworld.  I need to find something to post to WordPress from my ipad, as the web editor doesn’t work when the web bandwidth isn’t good…  Actually, the web editor isn’t good on iOS, period.  Oh, well.

Monday was more labs, Solutions Exchange, and sessions.  The general session, VMware stated it’s goal is to make a single logical cloud that could span public and private clouds, where you could run all apps, both enterprise apps we have had for years, and the new “cloud native apps” of today and increasingly in tomorrow.

So most of the 23,000 attendees were greeted with a well produced but a bit weird video that looked like something cooked up by somebody smoking a substance still illegal in most states watching X-Men, as this guy…

cloudprofxWas teaching the young mutant…err…cloud native apps and enterprise apps to hone their powers in security, performance, flexibility, and more.

We learned that we would now be able to vMotion applications between vCloud Air and your private VMware cloud potentially… Cool!

We learned that SRM would now be offered as a cloud offering in conjunction with vCloud Air as well.  Also, very cool!

They also announced vSphere Integrated Containers, and discussed Photon, which is a VMware optimized linux container technology that will interoperate with other container technologies, such as Docker.  It’s good to see VMware embrace a technology that is a bit of a counter to their bread and butter – VMs.  Resisting change is often futile.

Also, an EVO SDDC Manager was announced, which will help automate the management of all components of the Software Defined Data Center, including network virtualization and virtualized storage within VSAN, in a single pane of glass.

Upgrades to VSAN have also been announced, and one of the biggest improvements will be the ability to stretch a VSAN across datacenters, effectively making a stretched storage cluster with synchronous replication.  Considering how much solutions like VPLEX cost to do the same thing, this could potentially be a much lower cost option for organizations looking for this type of DR protection.

I’ll have more on specific sessions later, but I wanted to get this out in the meantime.

 

VMworld Day 0 – Update

Sorry about the late post from yesterday, but I was too exhausted from disembarking from the cruise, getting to VMworld, blah blah blah.

Sunday was a good day to get some quick sessions in, and do a lot of labs.  There’s not enough here to do a lot of posts, so here’s a quick summary of Sunday for me.

  • VMware certifications – Expect VCIX exams for Data Center Virtualization to be available January and February. Design will be first, followed shortly after with Administration.
  • Dell FX line of servers are an interesting piece of hardware.  I’ll do a future blog post about them, but they present an interesting solution for a few scenarios.
  • I played around quite a bit with VSAN in the labs, particularly around policy based management scenarios.  I’m sure that will be another blog post coming soon.

Much more from Day 1 coming…