VMworld 2013
Josh Gray, VMware
Justin King, VMware
Jonathan McDonald, VMware
Learn more about VMworld and register at http://www.vmworld.com/index.jspa?src=socmed-vmworld-slideshare
VMworld 2013
Ameet Jani, Vmware
Justin King, Vmware
Learn more about VMworld and register at http://www.vmworld.com/index.jspa?src=socmed-vmworld-slideshare
VMworld 2013: vSphere Upgrade Series Part 1: vCenter ServerVMworld
VMworld 2013
Josh Gray, VMware
Justin King, VMware
Learn more about VMworld and register at http://www.vmworld.com/index.jspa?src=socmed-vmworld-slideshare
VMworld 2013
Ameet Jani, Vmware
Justin King, Vmware
Learn more about VMworld and register at http://www.vmworld.com/index.jspa?src=socmed-vmworld-slideshare
VMworld 2013: vSphere Upgrade Series Part 1: vCenter ServerVMworld
VMworld 2013
Josh Gray, VMware
Justin King, VMware
Learn more about VMworld and register at http://www.vmworld.com/index.jspa?src=socmed-vmworld-slideshare
VMworld 2013: What's New in vSphere Platform & Storage VMworld
VMworld 2013
Kyle Gleed, VMware
Cormac Hogan, VMware
Learn more about VMworld and register at http://www.vmworld.com/index.jspa?src=socmed-vmworld-slideshare
London VMUG - Upgrade vSphere 5.5 to 6.5Dean Lewis
Mid Feb, one of the London VMUG leaders posted on twitter, looking for someone to present on the subject of "upgrading from vSphere 5.5 to vSphere 6.5". This is not a step by step GUI how to guide, but covers the considerations you need to think about.
VMware vSphere 5.1 - Upgrade Tips & Top New Featuresstcroixsolutions
vSphere 5.1 brings new features and advantages to IT professionals managing virtual environments with VMware.
Bill Oyler from St Croix Solutions highlights the top features in the new vSphere version and offers tips on upgrading from older versions.
VMworld 2013: vSphere Web Client - Technical WalkthroughVMworld
VMworld 2013
Ameet Jani, VMware
Justin King, VMware
Learn more about VMworld and register at http://www.vmworld.com/index.jspa?src=socmed-vmworld-slideshare
VMworld 2015: Just Because You COULD, Doesn’t Mean You SHOULD – vSphere 6.0 A...VMworld
This session discusses the lessons learned from VMware Professional Services Engineering during development of collateral for customers. It brings real world experiences to light, so that common issues can be addressed prior to deployment of the solution, rather than after the fact.
VMworld 2013: What's New in vSphere Platform & Storage VMworld
VMworld 2013
Kyle Gleed, VMware
Cormac Hogan, VMware
Learn more about VMworld and register at http://www.vmworld.com/index.jspa?src=socmed-vmworld-slideshare
London VMUG - Upgrade vSphere 5.5 to 6.5Dean Lewis
Mid Feb, one of the London VMUG leaders posted on twitter, looking for someone to present on the subject of "upgrading from vSphere 5.5 to vSphere 6.5". This is not a step by step GUI how to guide, but covers the considerations you need to think about.
VMware vSphere 5.1 - Upgrade Tips & Top New Featuresstcroixsolutions
vSphere 5.1 brings new features and advantages to IT professionals managing virtual environments with VMware.
Bill Oyler from St Croix Solutions highlights the top features in the new vSphere version and offers tips on upgrading from older versions.
VMworld 2013: vSphere Web Client - Technical WalkthroughVMworld
VMworld 2013
Ameet Jani, VMware
Justin King, VMware
Learn more about VMworld and register at http://www.vmworld.com/index.jspa?src=socmed-vmworld-slideshare
VMworld 2015: Just Because You COULD, Doesn’t Mean You SHOULD – vSphere 6.0 A...VMworld
This session discusses the lessons learned from VMware Professional Services Engineering during development of collateral for customers. It brings real world experiences to light, so that common issues can be addressed prior to deployment of the solution, rather than after the fact.
VMworld 2013: vSphere UI Platform Best Practices: Putting the Web Client SDK ...VMworld
VMworld 2013
Max Daneri, VMware
Laurent Delamare, VMware
Nimish Sheth, VMware
Learn more about VMworld and register at http://www.vmworld.com/index.jspa?src=socmed-vmworld-slideshare
VMworld 2015: Monitoring and Managing Applications with vRealize Operations 6...VMworld
This year VMware vSphere 6 combined with vRealize Operations 6.1 (vR Ops 6) adds critical features to increase technical agility in the infrastructure, and reduce Mean time to Repair. With a new Automated remediation action framework in vR Ops, vSphere 6’s ability to vMotion Physical Raw Device mappings (RDMs), and a complete Management Pack Ecosystem for monitoring Infrastructure to applications, administrators have the tools needed to get to maintain 5 9’s uptime, shorten Mean Time to Repair (MTTR), and predict capacity requirements as and when the business requires.. This session will be a deep technical explanation, and live demonstration of these tools. It will give administrators a solid understanding of how they can use these tools to monitor and manage their application clusters, keep applications running during Infrastructure maintenance, and get deep holistic visibility into the entire Application ecosystem, from Storage to Networking.
VMworld 2015: Advanced SQL Server on vSphereVMworld
Microsoft SQL Server is one of the most widely deployed “apps” in the market today and is used as the database layer for a myriad of applications, ranging from departmental content repositories to large enterprise OLTP systems. Typical SQL Server workloads are somewhat trivial to virtualize; however, business critical SQL Servers require careful planning to satisfy performance, high availability, and disaster recovery requirements. It is the design of these business critical databases that will be the focus of this breakout session. You will learn how build high-performance SQL Server virtual machines through proper resource allocation, database file management, and use of all-flash storage like XtremIO. You will also learn how to protect these critical systems using a combination of SQL Server and vSphere high availability features. For example, did you know you can vMotion shared-disk Windows Failover Cluster nodes? You can in vSphere 6! Finally, you will learn techniques for rapid deployment, backup, and recovery of SQL Server virtual machines using an all-flash array.
VMworld 2015: Virtualize Active Directory, the Right Way!VMworld
Active Directory Domain Services (ADDS) allows organizations to deploy a scalable and secure directory service for managing users, resources and applications. Virtualization of ADDS has been supported for many years now, however has required careful management to avoid pitfalls around replication, time management, and access. Windows Server 2012 provides greater support for virtualization by including virtualization-safe features and support for rapid domain controller deployment.
VMworld 2015: Site Recovery Manager and Policy Based DR Deep Dive with Engine...VMworld
Policy based management greatly simplifies the work of IT Administrators making it easy to ensure that applications and VMs receive the resources, protection and functionality required. Learn about the latest enhancements of Site Recovery Manager in this space, which represent a huge step towards providing policy based DR. In this session we'll dive deep into how this approach works and how to work with them.
Not content to simply describe the Virtual Volume (VVOL) framework, this session instead examines practical use cases: How different configurations and workloads benefit from VVOLs. Learn how Storage Policy Based Management (SPBM) couples with VVOLs to provide VM configuration options not previously available. We demonstrate a handful of real-life scenarios, specifically covering how VVOLs benefits oversubscribed systems, disaster recovery preparation and multi-tenant requirements for customers. Specific configuration options and constraints are covered in detail, including how they work with underlying storage.
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdfPeter Spielvogel
Building better applications for business users with SAP Fiori.
• What is SAP Fiori and why it matters to you
• How a better user experience drives measurable business benefits
• How to get started with SAP Fiori today
• How SAP Fiori elements accelerates application development
• How SAP Build Code includes SAP Fiori tools and other generative artificial intelligence capabilities
• How SAP Fiori paves the way for using AI in SAP apps
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...Neo4j
Leonard Jayamohan, Partner & Generative AI Lead, Deloitte
This keynote will reveal how Deloitte leverages Neo4j’s graph power for groundbreaking digital twin solutions, achieving a staggering 100x performance boost. Discover the essential role knowledge graphs play in successful generative AI implementations. Plus, get an exclusive look at an innovative Neo4j + Generative AI solution Deloitte is developing in-house.
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
Pushing the limits of ePRTC: 100ns holdover for 100 daysAdtran
At WSTS 2024, Alon Stern explored the topic of parametric holdover and explained how recent research findings can be implemented in real-world PNT networks to achieve 100 nanoseconds of accuracy for up to 100 days.
Dr. Sean Tan, Head of Data Science, Changi Airport Group
Discover how Changi Airport Group (CAG) leverages graph technologies and generative AI to revolutionize their search capabilities. This session delves into the unique search needs of CAG’s diverse passengers and customers, showcasing how graph data structures enhance the accuracy and relevance of AI-generated search results, mitigating the risk of “hallucinations” and improving the overall customer journey.
Threats to mobile devices are more prevalent and increasing in scope and complexity. Users of mobile devices desire to take full advantage of the features
available on those devices, but many of the features provide convenience and capability but sacrifice security. This best practices guide outlines steps the users can take to better protect personal devices and information.
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024Neo4j
Neha Bajwa, Vice President of Product Marketing, Neo4j
Join us as we explore breakthrough innovations enabled by interconnected data and AI. Discover firsthand how organizations use relationships in data to uncover contextual insights and solve our most pressing challenges – from optimizing supply chains, detecting fraud, and improving customer experiences to accelerating drug discoveries.
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfPaige Cruz
Monitoring and observability aren’t traditionally found in software curriculums and many of us cobble this knowledge together from whatever vendor or ecosystem we were first introduced to and whatever is a part of your current company’s observability stack.
While the dev and ops silo continues to crumble….many organizations still relegate monitoring & observability as the purview of ops, infra and SRE teams. This is a mistake - achieving a highly observable system requires collaboration up and down the stack.
I, a former op, would like to extend an invitation to all application developers to join the observability party will share these foundational concepts to build on:
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
VMworld 2013: vSphere vCenter Single Sign-on Best Practices
1. vSphere vCenter Single Sign-on
Best Practices
Josh Gray, VMware
Justin King, VMware
Jonathan McDonald, VMware
VSVC5635
#VSVC5635
2. 2
vSphere Deployment Best Practices – vCenter Server 5.1
What is vCenter Single Sign-On
vCenter Single Sign-On 5.1
• Architecture
• Deployment Configurations
• Database
• 5.1 Architectural References
• Single vCenter Server
• Multiple vCenter Servers (Local)
• Multiple vCenter Servers (Remote)
Deployment Best Practices and Recommendations
• Deployment / Installation / Upgrading / Availability
Challenges / Lesson Learned with Single Sign-On 5.1
vCenter Single Sign-On 5.5 (NEW)
• What's New with vCenter Single Sign-On 5.5
• Deployment Configurations
3. 3
vSphere Deployment Best Practices – vCenter Server 5.1
What is vCenter Single Sign-On
vCenter Single Sign-On 5.1
• Architecture
• Deployment Configurations
• Database
• 5.1 Architectural References
• Single vCenter Server
• Multiple vCenter Servers (Local)
• Multiple vCenter Servers (Remote)
Deployment Best Practices and Recommendations
• Deployment / Installation / Upgrading / Availability
Challenges / Lesson Learned with Single Sign-On 5.1
vCenter Single Sign-On 5.5 (NEW)
• What's New with vCenter Single Sign-On 5.5
• Deployment Configurations
4. 4
What is: vCenter Single Sign-On Server
Provides Secure Token Exchange
(SAML 2.0) between solutions
When you access an SSO enabled
solution the solution will request an
extension to SAML 2.0 Token TTL
First component to touch
(regardless or install/upgrade)
Design before implementing!!
vCloud
Director
vCenter
vCO
vCenter Single
Sign On (SSO)
Authentication Services for the vSphere Platform
A component of vCenter Server
vCenter Single Sign-On creates an authentication domain where
users are trusted to access available resources (vCenter etc)
• no longer log into vCenter directly*
Multiple identity sources (Active Directory, OpenLDAP etc)
5. 5
What Components Have Integrated With SSO?
Inventory
Service
Web Client
vCenter
SSO
VCO Log
Browser
VSM
VCD *
SRM
VCOPS
VDP
Others
Partners
2013
2014
* VCD is partially integrated with
SSO, only provider side logins
can be integrated with SSO
6. 6
How Does vCenter Single Sign On Work?
AD
(Domain 1)
AD
(Domain 1)
Open
LDAP
Web Client
Login
(user, pswd)
1 Issue Token
(user, pswd)
2
Authenticate3
Token
4
vCenter 1 vCenter 2 VCO vShield
vCloud
Director
Login
(Token)
Login
(Token)
Login
(Token)
Login
(Token)
Login
(Token)
5 6 7 8 9
Local
OSvCenter Single Sign On
Data
OS
Authenticate
SSO users
3
Authenticate
Local OS users
3
7. 7
vCenter Single Sign On Server
Registry of Single Sign-On
enabled solutions
One time manual registration of
vCenter 5.0 needed for discovery
by vSphere Web Client. (5.1 Only)
Linked Mode required to
provided a single pane of glass
view across geographically
separate vCenter’s
Linked Mode:
• Sharing of Permissions
• Sharing of Roles
• Sharing of Licenses
8. 8
vSphere Deployment Best Practices – vCenter Server 5.1
What is vCenter Single Sign-On
vCenter Single Sign-On 5.1
• Architecture
• Deployment Configurations
• Database
• 5.1 Architectural References
• Single vCenter Server
• Multiple vCenter Servers (Local)
• Multiple vCenter Servers (Remote)
Deployment Best Practices and Recommendations
• Deployment / Installation / Upgrading / Availability
Challenges / Lesson Learned with Single Sign-On 5.1
vCenter Single Sign-On 5.5 (NEW)
• What's New with vCenter Single Sign-On 5.5
• Deployment Configurations
9. 9
vCenter Single Sign-On 5.1 Configurations
Basic vCenter Single Sign-On
VC Database
SSO Database
vCenter Server Host or VM
vCenter
Server
Web Client
Inventory Svc
SSO Server
(Basic)
Most common deployment option
(VMware recommended)
This is a single standalone
instance of the SSO server that
supports the connectivity of
Active Directory, OpenLDAP, Local
Operating System and SSO
embedded users and groups
This typically would be local to the
vCenter Server
Used by the vCenter Server
Simple Install option
Preinstalled with the vCenter
Server Appliance
10. 10
vCenter Single Sign-On 5.1 Configurations
Primary vCenter Single Sign-On
Used for advanced configurations
• vCenter SSO High Availability
(SSO HA)
• Local Copy at Remote Sites (Multisite)
Installable version of SSO (Windows
Only)
Selected with the Individual Installer
Supports the connectivity of
• Active Directory
• OpenLDAP
• SSO embedded users and groups
Does not support the use of local
operating system user accounts
Only one Primary node can exist in
a single SSO environment
Database
vCenter Server Host or VM
vCenter
Server
Web Client
Inventory Svc
SSO Server
(Primary)
11. 11
vCenter Single Sign-On 5.1 Configurations
vCenter Single Sign-On
HA Backup (SSO HA)
Third Party Load Balancer +
configuration + Support
Complex to setup
• Update SSL certificates
• Repointing of vCenter components
No Protection of Shared Database
Limited Functionality when failed over
• Administration lost
• No service restarts
Availability – Same as vCenter Server
• vSphere HA, vCenter HeartbeatShared Database
Host or VM
SSO Server
(Primary)
Load Balancer
Host or VM
SSO Server
(HABackup)
Provides failover of vCenter
SSO server
Centralized vCenter SSO server for
multiple local vCenter Servers
Select with the Individual InstallervCenter Server 2
vCenter
Server Web
Client
Inventory
Svc
vCenter Server 1
vCenter
Server Web
Client
Inventory
Svc
12. 12
Local
Databases
vCenter Server
vCenter
Server
vCenter Server
vCenter
Server
Inventory Svc
vCenter Server
vCenter
Server
New York
Los Angeles
Miami
Multi Site
SSO Server
Web Client
Inventory Svc
Multi Site
SSO Server
Web Client
Inventory Svc
Primary
SSO Server
Web Client
Inventory Svc
vCenter Single Sign-On 5.1 Configurations
vCenter Single Sign-On MultiSite
Local Authentication
• Removes additional risk (WAN)
• Maintains same SSO security domain
Required for Linked Mode
Selected with the Individual Installer
Does not provide site redundancy
Manual Steps required to maintain
synchronization of SSO
users/groups/polices etc
1. Install Primary SSO in NY
2. Install IS, VC in NY
3. Install Multisite SSO in LA
4. Replicate SSO from NY to LA
5. Install IS, VC in LA
6. Replicate SSO in LA to NY
7. Repeat steps 3-6 for each site
13. 13
vCenter Single Sign-On Database
1. vCenter Single Sign-On
• Hard naming requirements (RSA)
• Schema Scripts provided on ISO
• SQL Authentication required
• JDBC connection
Supported Databases
• Oracle
• Oracle 10g (rel2) / Oracle 11g (rel1-rel2)
• Microsoft SQL Server
• SQL Server 2005 (SP4) / 2008 (SP1-SP3) / 2008 R2 (SP1-SP2) / SQL Server 2012
• Embedded vPostgres (vCenter Appliance only)
15. 15
vSphere Deployment Best Practices – vCenter Server 5.1
What is vCenter Single Sign-On
vCenter Single Sign-On 5.1
• Architecture
• Deployment Configurations
• Database
• 5.1 Architectural References
• Single vCenter Server
• Multiple vCenter Servers (Local)
• Multiple vCenter Servers (Remote)
Deployment Best Practices and Recommendations
• Deployment / Installation / Upgrading / Availability
Challenges / Lesson Learned with Single Sign-On 5.1
vCenter Single Sign-On 5.5 (NEW)
• What's New with vCenter Single Sign-On 5.5
• Deployment Configurations
16. 16
Single vCenter Server Design Recommendation
VC Database
SSO Database
vCenter Server Host or VM
vCenter
Server
Basic SSO
Server
Web Client
Inventory Svc
Use Simple Installer
Installs / Upgrades core
components with a single
virtual machine
1. vCenter Single Sign-On
2. vCenter Inventory Service
3. vCenter Server
4. Additional install: vSphere Web Client
No change to architecture
All services are local
Supports 1-1000 Hosts / 1-
10,000 Virtual Machines
Distributed model adds
unnecessary complexity
and recovery challenges
17. 17
Multiple Remote vCenter Server Design Recommendations
Multiple single vCenter Server design
Each site is independent
No single pane of glass view
Linked Mode
Maintains single pane of glass
Replicates Licenses, permissions and roles
Availability
vSphere HA
vCenter Heartbeat
Local
Databases
vCenter Server
vCenter
Server
vCenter Server
vCenter
Server
Inventory Svc
vCenter Server
vCenter
Server
New York
Los Angeles
Miami
Multi Site
SSO Server
Web Client
Inventory Svc
Multi Site
SSO Server
Web Client
Inventory Svc
Primary
SSO Server
Web Client
Inventory Svc
vCenter Server
vCenter
Server
New York
vCenter Server
vCenter
Server
Miami
vCenter Server
vCenter
Server
Basic
SSO Server
Web Client
Inventory Svc
Los Angeles
Basic
SSO Server
Web Client
Inventory Svc
Basic
SSO Server
Web Client
Inventory Svc
18. 18
Multiple Local vCenter Server Design Recommendations
Centralized SSO authentication
• Same Physical location
• Metropolitan / College Campus
Single Centralized vSphere Web Client
Availability (Required)
• vSphere HA
• vCenter Heartbeat
Simple with full functionality
18
vCenter Server 2
vCenter
Server
Inventory Svc
Local SSO Database
Basic SSO
Server
Web Client
Database
Server
VCDB1,VCDB2,VCDB3
vCenter Server 2
vCenter
Server
Inventory Svc
vCenter Server 2
vCenter
Server
Inventory Svc
19. 19
vSphere Deployment Best Practices – vCenter Server 5.1
What is vCenter Single Sign-On
vCenter Single Sign-On 5.1
• Architecture
• Deployment Configurations
• Database
• 5.1 Architectural References
• Single vCenter Server
• Multiple vCenter Servers (Local)
• Multiple vCenter Servers (Remote)
Deployment Best Practices and Recommendations
• Deployment / Installation / Upgrading / Availability
Challenges / Lesson Learned with Single Sign-On 5.1
vCenter Single Sign-On 5.5 (NEW)
• What's New with vCenter Single Sign-On 5.5
• Deployment Configurations
20. 20
Common Issues – Login Problem / Failures
Login problems are the primary problem we see with SSO
Fall into several basic categories
• Login fails with an STS error:
• Common Causes/ troubleshooting:
• vCenter SSO Service is not accessible – check networking
• vCenter SSO Service is down – check services configuration
• If the service cannot start:
• Commonly it is database related – Check SQL connectivity and availability
• Validate that passwords have not expired or changed
• check imsTrace.log for errors relating
21. 21
Common Issues – Login Problems / Failures (2)
• Login fails with credentials not valid error
• Common Causes
• Incorrect username or password specified
• Incorrect qualifying domain (@system-domain in this case) specified
• Password has expired – reset the password on the account.
• Account disabled or locked
• If none of these are working, check imsTrace.log to validate the error message for the
login
22. 22
Common Issues – Login Problems / Failures (3)
• Login fails for admin@system-domain
• Similar to regular account failures.
• Use the following KB to reset or unlocked from the following KB:
Unlocking and resetting the vCenter Single Sign On (SSO) administrator password:
http://kb.vmware.com/kb/2034608
• Example command line usage from the KB:
• Always requires the master password. If lost, a reinstall is required.
• To change the master password the following command can be used:
23. 23
Best Practices for Login Problems / Failures
Ensure that SSO service is started and that other teams announce
any maintenance that is occurring
• Most problems that GSS sees here are related to service being inaccessible
• This includes Database and more importantly networking
Always make sure that the admin@system-domain master
password is recorded
• This is the password which is set during the initial installation
• As long as you have the master password, there is a way to get into the
system
• Think of this password as one which is similar to an Active Directory recovery
password
24. 24
Common Issues – Domain trusts
5.1 GA, A, B – No domain trusts function.
• Many domain topologies exist
VMware Development working to ensure
that all trusts are available and function
with SSO
Cause:
• SSO 5.1.x uses LDAP binds rather than native
Windows API calls
25. 25
Common issues - Permissions
As long as authentication is successful permissions can cause
unexpected problems after login completes
SSO administrator is admin@system-domain
vCenter administrator is whatever is specified in the installer
• By default this will be the administrators group on the vCenter server
If you don’t have permissions you may see:
26. 26
Common issues – Permissions (2)
Cause for this is that roles are by default separated
vCenter log (vpxd.log) will show a vim.fault.NoPermission error
Login with the appropriate administrator account and add
permissions if desired
27. 27
Best Practices – Permissions
Configure a domain group for access by default rather than a user
• This will ensure that many users have access rather than a single user
• Allows for other users to still login if an account is locked out inadvertently
Be sure to note down the group that was configured as the
administrator access to vCenter during installation
• With the vCenter linux appliance root has access by default
Add additional SSO administrators other than admin@system-
domain
• By adding separate users if an account expires, you can unlock the account by
logging in with another user account
28. 28
Best Practice - Local OS Accounts
Recommendation: Move the use of local OS accounts in vCenter to
SSO identity sources or embedded SSO user accounts
Benefit: Depending on the architecture deployed the use of local OS
accounts will more than likely be unavailable to vCenter server
Tip: Setup a local SSO group and add AD/SSO users and or groups
and apply vCenter permissions to the SSO group
29. 29
Common Issues - Certificates
Certificates are used for security for SSO
• All VMware components use certificates for communication
• If a certificate is invalid or expired, SSO will reject communication
• All services which are registered into SSO need a valid certificate
Installs to vCenter 5.1, will fail if the certificate is invalid when
upgrading
• The following certificates need to be VALID to successfully upgrade to 5.1
• SSO
• Inventory Service
• vCenter
• More information on this in KB:
Upgrading to vCenter Server 5.1 fails with the error: Certificate already expired
(2035413)
30. 30
Common Issues – Certificates (2)
Replacing the certificates difficult due to the number of steps
VMware engineering recognized the difficulty introduced and
released the SSL Certificate Automation Tool
• Automates the installation and configuration of new certificates
• KB to the tool:
Deploying and using the SSL Certificate Automation Tool (2041600)
Not a certificate authority
• Will generate the certificates requests and install the resulting certificates
• Will not generate the certificate, admin has to get this from the CA still
31. 31
Create SSO Database
Recommendation: Create the SSO database prior to installation
Benefit: You will be asked to connect to the database during SSO
install otherwise you will not be able to continue
Tip: Use the scripts provided on the vCenter ISO, make sure you edit
them with database location and user account passwords before
executing
32. 32
Configure SSO Before Upgrading vCenter Server
Recommendation: When upgrading, install SSO then web client
before other components
Benefit: This will allow you to preconfigure the identity sources prior to
vCenter upgrade and eliminate any login risks post install
Tip: Add a domain user as an SSO
admin, log out and in as the user to
confirm configuration before proceeding
33. 33
vCenter Server – Availability
Recommendation: Protect the vCenter Suite, not individual
components
Benefit: If high availability is desired use a solution that protects all
components to maintain dependencies
Tip: vSphere HA and vCenter Heartbeat can protect all components
whether distributed or local with same license. vDP 5.5 also restores
without vCenter and also can be used
34. 34
vSphere Deployment Best Practices – vCenter Server 5.1
What is vCenter Single Sign-On
vCenter Single Sign-On 5.1
• Architecture
• Deployment Configurations
• Database
• 5.1 Architectural References
• Single vCenter Server
• Multiple vCenter Servers (Local)
• Multiple vCenter Servers (Remote)
Deployment Best Practices and Recommendations
• Deployment / Installation / Upgrading / Availability
Challenges / Lesson Learned with Single Sign-On 5.1
vCenter Single Sign-On 5.5 (NEW)
• What's New with vCenter Single Sign-On 5.5
• Deployment Configurations
35. 35
Challenges with vCenter Single Sign-On 5.1
Active Directory Integration
• Does not work effectively in multi-forest / trusted domain
environments
• Does not scale in environments with 15K or greater users
• Administration is limited
Certificates
• SSL communications challenging
• Difficult to change / update
Installation
• Database requirements / security concerns
• Many installable configurations
• Difficult to change / reconfigure post install
• Complex
Diagnostics
• Troubleshooting tools – non existent
36. 36
vSphere Deployment Best Practices – vCenter Server 5.1
What is vCenter Single Sign-On
vCenter Single Sign-On 5.1
• Architecture
• Deployment Configurations
• Database
• 5.1 Architectural References
• Single vCenter Server
• Multiple vCenter Servers (Local)
• Multiple vCenter Servers (Remote)
Deployment Best Practices and Recommendations
• Deployment / Installation / Upgrading / Availability
Challenges / Lesson Learned with Single Sign-On 5.1
vCenter Single Sign-On 5.5 (NEW)
• What's New with vCenter Single Sign-On 5.5
• Deployment Configurations
37. 37
What's New with vCenter Single Sign-On 5.5 (in short)
Improved architecture
• Multi-master
• Built-in replication
• Site awareness
• Multi Tenant
Database
• There is no Database!
Installation
• One simplified deployment model
• Select vCenter Single Sign-On for the first or an additional vCenter Server
Diagnostics
• Full suite of diagnostic / Troubleshooting tools
vCenter Server
vCenter
Server
vCenter Server
vCenter
Server
vCenter Server
vCenter
Server
Web Client
Inventory Svc
vCenter Single Sign-On 5.5
Web Client
Inventory Svc
Web Client
Inventory Svc
SSO Site 1 SSO Site 2
38. 38
vCenter Single Sign-On 5.5 - Installation
Prerequisites
• Hostname has a FQDN an
is DNS resolvable (forward/reverse)
• Joined to an Active Directory domain
(if integrating with Active Directory)
• Windows 2008 x64 SP2 or higher
(or use vCenter Appliance)
39. 39
vCenter Single Sign-On 5.5 - Installation
Simple Installer
• single vCenter Server environments
Individual installer
• multiple vCenter servers and / or advanced configurations
Installer Steps
1. Accept License agreement (EULA)
2. Prerequisite check summary
3. Edit default port number 7444 (if necessary)
4. Select Deployment placement
5. Provide Administrator@vsphere.local password
6. Provide a site name or select a previous site name
7. Edit destination directory (if necessary)
8. Summary
9. Installation Complete
Upgrading?
admin@system-domain?
Account becomes an alias of
administrator@vsphere.local
40. 40
Supports Upgrade of all vCenter 5.1 configurations
Previous vCenter Single Sign-On 5.1 deployment models
• Fully Maintained via Upgrade
• Basic
• Single Sign-On High Availability
• Single Sign-On Multisite
New recommendations with vSphere 5.5
• Take advantage of new technology
• Single virtual machine for all vCenter components**
• Distributed virtual machines add complexity
• Availability / Backup & Restore
• Management
• Easily migrate to new recommendations during upgrade
** Enterprise customers with 6 or more local vCenter servers can use a centralized instance
41. 41
Types of Identity Sources
What is an identity source?
An external domain or repository of users and groups
Identity Sources supported with 5.5
1. Native Active Directory (Recommended)
• Uses kerberos via machine account or SPN (Load Balancer)
2. Active Directory as an LDAP server
• This was done for backward compatibility to 5.1
• Not likely to be supported post 5.5
• Same limitations as in 5.1
3. OpenLDAP
4. Local Operating System
5. Single Sign-On
Configuring your VC Server
When you configure your VC Server,
make sure to set the VC Administrator as
administrator@vsphere.local. DO NOT
SET THE VC Administrator to be a Local
OS account.
42. 42
Diagnostics
vCenter Single Sign-On 5.5 Diagnostic Tools
Perform all administration and reconfiguration from MMC Snap in
• vCenter Single Sign-On services need to be running
KB to troubleshoot startup issues
Separate download
• So we can update independently and add exciting new features
43. 43
Replication
Builtin Replication
• Between each Single Sign-On server deployed in the same vSphere
authentication domain
Replication Partners
• Review / Add / Remove / Edit
Geographically Separated Single Sign-On sites
• Reduce overhead
• Provide Redundancy Links
44. 44
Backup / Restore / Availability
Backup / Restore
• Virtual Machine**
• Snapshot
• Tape / Disk
• vDP (now supports host level restore)
• Application (KB with GA)
• Registry Keys
• SSL Certificates (tcserver)
• Certificate server
• KDC
• VMDir (vdcbackup)
Availability of vCenter Single Sign-On server
• No different to vCenter
• Why? vCenter is the primary resident of the Single Sign-On server
• vSphere HA, vCenter Heartbeat
**Additional step required when multiple SSO instances are configured
45. 45
The log files provided by Single Sign On includes:
vminst.log: Single Sign On installer log
vim-sso-msi.log: MSI installer verbose logs for Single Sign On installation
vim_ssoreg.log: Single Sign On Lookup Service log
exported_sso.properties: Endpoint information about each of the Single Sign On Solution Users and
identity sources extracted from previous vCenter Single Sign On 5.1.0 instance
vim-openssl-msi.log: MSI installer verbose log for OpenSSL installation
vim-python-msi.log: MSI installer verbose log for Python installation
vim-kfw-msi.log: MSI installer verbose log for MIT Kerberos installation
Single Sign On logs are grouped by component and purpose:
vmdirdvdcpromo.log: Promotion and demotion operation information for the Single Sign On instance
when joined or removed from a linked configurations
vmdirdvdcsetupIdu.log: VMware Directory Service setup post-installation log containing information
about the localhost name
vmdirdvmdir.log: Health reports for the VMware Directory Service service and the Lotus VMDir
database
vmkdcdvmkdcd.log: Key Distribution Center (kdc) run-time log, reports ports conflicts preventing the
service from starting
vmware-ssovmware-sts-idmd.log: VMware Identity Management service run-time logs, time-
stamped records of user attempts when accessing Single Sign On for administrative purposes
vmware-ssovmware-sts.ldmd-perf.log: VMware Identity Management service performance counter
logs
vmware-ssoVMwareIdentityMgmtService.<date>.log: Commons Daemon log once the Identity
Management Service has started
46. 46
Additional Information
Deprecated Functionality
• NIS Identity Source
• More than one default domain per Identity Provider
• SMTP configuration and notification for password expiration by mail
TCP Ports Used by SSO
• 2012 Control interface RPC for VMDirectory
• 88, 2013 Control interface RPC for the Kerberos
• 2014 RPC port for all VMCA APIs
• 7444 vCenter Single Sign On - HTTPS
• 11711 vCenter Single Sign On - LDAP
• 11712 vCenter Single Sign On - LDAPS
• 12721 VMware Identity Mgmt Service
47. 47
Single vCenter Server 5.5 Design Recommendation
VC Database
vCenter Server Host or VM
vCenter
Server
SSO
Server
Web Client
Inventory Svc
Use Simple Installer
Installs / Upgrades core
components with a single
virtual machine
1. vCenter Single Sign-On
2. vSphere Web Client
3. vCenter Inventory Service
4. vCenter Server
No change to architecture
All services are local
Supports 1-1000 Hosts / 1-
10,000 Virtual Machines
48. 48
Multiple vCenter Server 5.5 (Remote) Design Recommendation
By Default
Each site is independent
Does not provide a single pane of glass view
SSO automated replication
SSO Users & Groups
SSO Policies
Identity sources
Site awareness
Linked Mode
Maintains single pane of glass
Replicates Licenses, permissions and roles
Availability
vSphere HA
vCenter Heartbeat
vCenter Server
vCenter
Server
New York
vCenter Server
vCenter
Server
Miami
vCenter Server
vCenter
Server
Web Client
Inventory Svc
SSO Server – vsphere.local
Los Angeles
Web Client
Inventory Svc
Web Client
Inventory Svc
SSO Site 1 SSO Site 2 SSO Site 3
Single SSO Authentication Domain
49. 49
SSO
Server
Web Client
Multiple vCenter Server 5.5 (Local) Design Recommendations
A Datacenter with 6 or more vCenter Servers
Centralized SSO authentication
• Same Physical location
Single Centralized vSphere Web Client
Availability (Required)
• vSphere HA
• vCenter Heartbeat
• Network Load Balancer
49
vCenter Server 2
vCenter
Server 5.5
Inventory Svc
SSO
Server
Web Client
Database
Server
VCDB1,VCDB2,VCDB3
vCenter Server 3
vCenter
Server 5.5
Inventory Svc
vCenter Server 1
vCenter
Server 5.1
Inventory Svc
Backwards compatible to vCenter Server 5.1