Microsoft released System Center Virtual Machine Manager 2012 SP1 in January 2013 with added support for managing VMware vSphere 5.1 systems. In System Center Virtual Machine Manager 2012 SP1, secure communications to VMware systems were updated, and hence differ from VMM 2008 R2. This article describes the new secure communications model and the process required to connect VMware systems to System Center Virtual Machine Manager 2012 SP1.
System Center Virtual Machine Manager 2012 SP1 expands support for VMware systems to vCenter 5.1 and ESXi 5.1. This is in addition to the already existing vCenter 4.1 and ESXi 4.1 support. In this new version, Microsoft retains the requirement for System Center Virtual Machine Manager to interface through a VMware vCenter server.
Secure Communication Updates from VMM 2008 R2
VMM 2008 R2 required communication through a vCenter server for creation and configuration actions. File transfers between VMM library servers and VMware hosts were performed using the Secure File Transfer Protocol (SFTP). Leveraging SFTP required enabling Secure Shell (SSH) access between the VMM library server and the VMware hosts.
System Center Virtual Machine Manager 2012 SP1 still requires communication through a VMware vCenter server for creation and configuration actions. However, it also requires the VMware host root account to be used for communication between VMM library servers and VMware hosts for file transfers. In this version, HTTPS is used as the file transfer protocol.
Managing VMware Systems with System Center Virtual Machine Manager 2012 SP1
System Center Virtual Machine Manager 2012 SP1 supports the following versions of VMware vCenter, VMware ESX, and VMware ESXi products.
System Center Virtual Machine Manager
VMware ESX and ESXi
VMware vCenter 4.1
ESX 3.5 and 4.1
ESXi 3.5 and 4.1
VMM 2012 SP1
VMware vCenter 4.1 and 5.1
ESXi 4.1 and 5.1
It is also important to note that System Center Virtual Machine Manager 2012 SP1 only installs on Windows Server 2012. Therefore, migrating from a System Center Virtual Machine Manager 2012 installation running on Windows Server 2008 R2 requires an upgrade to Windows Server 2012 prior to the update to System Center Virtual Machine Manager 2012 SP1.
System Center Virtual Machine Manager 2012 SP1 leverages a VMware vCenter server for communication to VMware hosts or host cluster infrastructure. As part of the installation process, a Secure Socket Layer (SSL) certificate is required. The SSL certificate can be a self-signed certificate from the VMware vCenter server, a certificate from a trusted Microsoft PKI infrastructure, or a trusted third party certificate provider. The SSL certificate has to be preloaded on the VMM management server or it will be requested during the installation process. In addition to the SSL certificate, the account that adds the VMware vCenter server to System Center Virtual Machine Manager 2012 SP1 must have administrative rights on the VMware vCenter server.
In addition to these requirements, System Center Virtual Machine Manager 2012 SP1 uses the root account credentials on the VMware hosts to accomplish file transfers between VMM library servers and VMware hosts. As part of this requirement, the VMware host root credentials must be stored in a Run As account in System Center Virtual Machine Manager 2012 SP1. The credentials entered for a Run As account are encrypted and stored in the System Center Virtual Machine Manager 2012 SP1 database for reuse when communication is required.
Leveraging a Run As account provides a better security model because the administrator adding VMware hosts to System Center Virtual Machine Manager 2012 SP1 does not need to know the root account credentials once they are stored in the Run As account. For every different root account password used on a VMware host, a unique Run As account must be created and maintained.
After the root account is used to establish the connection to the VMware host, a certificate thumbprint must be accepted and used to secure HTTPS sessions. A certificate is generated by a VMware host and imported into System Center Virtual Machine Manager 2012 SP1 for each host.
Adding VMware Systems to System Center Virtual Machine Manager 2012 SP1
Creating a Run As Account
In order to add a VMware vCenter server or VMware host to System Center Virtual Machine Manager 2012 SP1, it must leverage a Run As account for the credentials. Follow the steps in this section to create a Run As account before adding the VMware host to System Center Virtual Machine Manager 2012 SP1.
- From the VMM Administrative console, open the Settings workspace.
- On the ribbon bar, select Create Run As Account.
- Enter a name and optional description to identify the Run As account credentials.
- Enter a User name and Password information. The credentials can be a valid Active Directory or local machine user account. Unselect Validate domain credentials if using a local user account.
- Click OK to create the Run As account.
Adding a VMware vCenter Server to System Center Virtual Machine Manager 2012 SP1
Follow these steps to add an existing VMware vCenter server to System Center Virtual Machine Manager 2012 SP1:
- Launch the VMM Console.
- Select the Fabric workspace.
- In the Fabric pane, expand the Servers node, and then select the vCenter Servers node.
- There are two choices to add a VMware vCenter server:
- Right-click the vCenter Servers node and select Add VMware vCenter Server.
- In the ribbon bar, select Add Resources, and then select VMware vCenter Server.
- In the Add VMware vCenter Server Wizard, the following items are required:
- In the Computer name box, enter the fully qualified domain name (FQDN), NetBIOS name, or IP address of the vCenter Server.
- In the TCP/IP port box, enter the port to use to connect to the VMware vCenter Server. By default, TCP/IP port 443 is used to connect to the server through SSL.
- By the Run As account box, click Browse, then click the Run As account that has administrative access to the VMware vCenter Server, and then click OK.
- Select or clear the Communicate with VMware ESX hosts in secure mode check box depending on your specific security requirements.
- When complete, click OK.
- Unless the self-signed certificate is manually copied into the Trusted People certificate store on the VMM management server, the Import Certificate dialog box appears.
- In the Import Certificate dialog box, review the VMware certificate information, and then click Import to add the certificate to the Trusted People certificate store.
- Verify that the job completes.
10. In the Fabric workspace, expand Servers and then click vCenter Servers to verify that the vCenter server that was just added is displayed and that the status is Responding.
Adding a VMware Host to System Center Virtual Machine Manager 2012 SP1
After the VMware vCenter server is added to System Center Virtual Machine Manager 2012 SP1, VMware hosts and host clusters must also be added to be managed. Follow these steps to add VMware hosts and clusters to System Center Virtual Machine Manager 2012 SP1:
- From the VMM Administrative console, select the Fabric workspace
- On the ribbon bar, click the Add Resources button, then select VMware ESX Hosts and Clusters.
- In the Add Resource Wizard, on the Credentials page, click Browse, then click the Run As account that has root credentials on the hosts that you want to add, then click OK, and then click Next.
- On the Target resources page, select the VMware vCenter Server that manages the VMware hosts to add.
If the hosts are clustered, the cluster name is listed with the cluster nodes.
- In the Computer Name column, select the check box next to each VMware host or host cluster that you want to add, and then click Next.
- On the Host settings page, click the host group to which the VMware hosts should be assigned, and then click Next.
- On the Summary page, confirm the settings, and then click Finish.
- Verify that the job has a status of Completed, and then close the dialog box.
At this point, VMware hosts are added to VMM, but the configuration to allow VMM library servers to VMware host communication is not complete. If you look at the status of the VMware hosts in the Servers – All Hosts view, you will see a status of OK (Limited). This means that the VMM management server can communicate to the VMware vCenter server and send commands, but that it cannot communicate directly to a VMware host. Follow these steps to allow VMware hosts to communicate with VMM:
- Right-click a VMware host that has a status of OK (Limited), and then click Properties.
- In the Host Name Properties dialog box, click the Management tab.
- The Run As account that you specified during the host add process should be listed in the Credential box. In order to retrieve the certificate and public key for the host, click Retrieve.
- Select the Accept the certificate for this host check box, and then click OK.
- In the Hosts pane, verify that the host status is OK.
These steps must be repeated for each host that has a status of Ok (Limited).
Security Management issues
If you have a large number of VMware hosts, then the setup will take a little while to accomplish, but it is a one-time configuration. If you are using a common password for the root account across the VMware hosts, then you only need to create a single Run As account for the VMware host root account. If you do not use the same password across each VMware host, then you are required to create a separate Run As account for each host.
Run As Password Management Automation
If you follow best practices and change the root account password for VMware hosts on a regular basis, then you must also synchronize the change of the password to the Run As account. One way to do automate this process is to use PowerShell cmdlets. The SET-SCRun AsAccount cmdlet allows you to change the credentials of an existing Run As account.
$Run AsAccount = Get-SCRun AsAccount -Name "ESXRun AsAccount"
$RAPassword = ConvertTo-SecureString -AsPlainText “ESXrootpassword” -Force
$cred = New-Object – typename System.Management.Automation.PSCredential –argumentlist “root”,$RAPassword
Set-SCRun AsAccount -Run AsAccount $Run AsAccount -Credential $cred
In this article, you learned about the change in communication and security requirements for the integration of System Center Virtual Machine Manager 2012 SP1 with VMware systems, and walked through the process of adding both VMware vCenter servers and VMware hosts to be managed by System Center Virtual Machine Manager 2012 SP1. While the process is simple, it is important to understand the impact to the number of Run As accounts that you may need to create and manage, especially in terms of account password changes and synchronization.