Tag Archives: vmware

Using a Specific Security Protocol in PowervRA

A few months ago we had an issue logged in PowervRA where it was not possible to make a connection to the vRA appliance after it had been locked down following the VMware hardening guide. Specifically this was because SSLv3/TLSv1 (weak ciphers) had been disabled.

By default, Windows PowerShell 5.1 has the following Security Protocols available, Ssl3 and Tls – hence the above failure.

It’s possible to workaround this by adding in the security protocol required, in this case TLS 1.2

Note, however, that this change is for the PowerShell session itself, which may or may not be desired behaviour.

PowerShell Core adds in a new parameter SslProtocol to both of the web cmdlets, Invoke-WebRequest and Invoke-RestMethod. Consequently, this improvement means that you can specify a security protocol per request, not per PowerShell session. For example you could do something like this for Tls 1.2:

In PowervRA 3.0.0 we’ve updated Connect-vRAServer to support this functionality, also with a SslProtocol parameter:

If you’re on Windows PowerShell we’ll add to the available security protocols in the PowerShell session (and remove it afterwards when you use Disconnect-vRAServer). If you’re using PowerShell Core we’ll use the SslProtocol parameter of Invoke-RestMethod so that the requested protocol is used per request.

The $vRAConnection variable has been updated with the SslProtocol property to show you whether your connection is using the default protocol or a specified one:

Final note: this was a breaking change for us, since we require Windows PowerShell 5.1 and PowerShell Core 6 release candidate to easily implement the above functionality. So make sure you are on either of those versions before trying PowervRA 3.0.0.

Accessing Content from Variables of Type Any in the vRO Client

One of my colleagues showed me how to do this, so I thought it worth sharing since it has bugged me ever since I started using vRO.

If you have run a vRO workflow and are looking at the output, specifically the Variables tab:

you can then view what values each variable was at the time of workflow completion. If the value is a string or something else simple you will get a nice view of it. However, if it is say a collection of properties you will see something similar to the below and typically you will not be able to scroll across to view them all.

What I have typically done until now is add a Scriptable Task as the next step in the workflow and log all of the properties out. However, she demonstrated to me that it is possible to copy them and then paste into a text editor.

Step:

  1. Bring up the above view by clicking on the ‘i’, next to the magnifying glass
  2. Click once on the white section – in this example the word ‘Properties’
  3. Ctrl-A
  4. Ctrl-C

Even though there is no visual indication that everything was highlighted to be made available for copy, like in say a text editor, it has actually done it. The below is the copied output from the above:

Properties##[#sections#=#Properties##[#section#=#Properties##[#generationNumber#=#number#1.511870334212E12#+#name#=#string#TEST01#+#rule#=#Properties##[#appliedToList#=#Properties##[#appliedTo#=#Properties##[#isValid#=#boolean#true#+#name#=#string#TEST02#+#type#=#string#SecurityGroup#+#value#=#string#securitygroup-530#]##]##+#packetType#=#string#any#+#_disabled#=#boolean#false#+#_logged#=#boolean#false#+#destinations#=#Properties##[#destination#=#Properties##[#isValid#=#boolean#true#+#name#=#string#TEST01#+#type#=#string#SecurityGroup#+#value#=#string#securitygroup-101#]##+#_excluded#=#boolean#false#]##+#name#=#string#Test01#+#action#=#string#allow#+#id#=#number#2758.0#+#sectionId#=#number#1252.0#+#services#=#Properties##[#service#=#Properties##[#destinationPort#=#number#3453.0#+#protocol#=#number#6.0#+#protocolName#=#string#TCP#+#isValid#=#boolean#true#]##]##+#direction#=#string#inout#]##+#_class#=#string#section#+#_id#=#number#1252.0#+#type#=#string#LAYER3#+#_timestamp#=#number#1.51134543303912E12#]##]##]#

OK, it is not that easy to read, but it is pretty handy if you just want to quickly grab it and search for something in the list of Properties.

Modifying Icons in vRA with PowerShell

There have recently been a number of blog posts around modifying the All Services icon in vRA, and how to change it programmatically:

We had a new feature request open in PowervRA for a while to do the same thing, so I figured it would be a good time to go and add it, so that the same change to the icon could be done from PowerShell. We decided to take a slightly more generic approach than just the All Services icon and make it possible to upload any icon and use it to modify any service or other element within vRA that supports modifying the icon via the API.

So in release 2.1 of PowervRA you will find some new functions for working with icons:

Modify the All Services Icon

Note: Modifying the All Services icon will affect all vRA tenants and requires admin permission to the default tenant. Ensure you are comfortable with this before going ahead!

The icon for All Services is known within vRA as cafe_default_icon_genericAllServices. You can find out more about it with Get-vRAIcon:

To update it, use Import-vRAIcon. The API documentation lets us know that it will either create a new icon or overwrite an existing one. Since the All Services icon already exists, it will be overwritten when you import a new one:

You can also set it back to the original brick icon with Remove-vRAIcon, since the API description states that for deleting an icon which is one of the default system icons, it will be reverted to its default state:

Modify a Custom Service

Note: for this piece you will need admin permissions in the Tenant the Service belongs to

Modifying the icon for your own created service is very straightforward process: import a new icon to the Catalog Service and then update the existing service with the new icon. In this example we’ll modify the icon for Service02:

We can find the name of the currently used icon with Get-vRAService and see that the default icon name is cafe_default_icon_genericService:

To change it, do the following:

Modify a Catalog Item

Note: for this piece you will need admin permissions in the Tenant the Catalog Item belongs to

As mentioned, we’re not just restricted to modifying Service icons, other icons can be changed too. For example we can update the icon of a Catalog Item. Again upload an icon first, then update the Catalog Item with it:

We can find the name of the currently used icon with Get-vRACatalogItem and see that the  icon name is vcoIcon_256x256.png:

To update, use the following:

Issues with Mounting a CIFS Share on the vRO Appliance

This article on the vCOTeam site details how to mount a CIFS share on the vRO Appliance so that workflows can write files directly to a Windows File Share rather than using another process to copy the file over there.

This was straightforward to implement in a lab scenario, however within a corporate environment with more restrictions around security and networking it can potentially be more of a challenge. Specifically we encountered the following error response from a Windows Server seemingly configured correctly for Share and NTFS permssions on the folder to mount:

Status code returned 0xc0000022 NT_STATUS_ACCESS_DENIED
CIFS VFS: Send error in SessSetup = -13
CIFS VFS: cifs_mount failed w/return code = -13

This post on a Centos forum helped us track down the problem, i.e. there was at least one Group Policy restricting the use of NTLM.

“It turned out in my case to be a Group policy which was set to Send NTLMv2 responses only. Refuse LM and NTLM. I changed this to Send LM & NTLM -use NTLMv2 session security if negotiated.

Located at: Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options. The policy is called: Network Security: Lan Manager authentication level.”

In our case there were also other NTLM policies that needed to be considered, so worth checking any of these:

Also worth checking the policy: Microsoft network server: Digitally sign communications (always):

It is also possible to use different security settings within the /etc/fstab file on the vRO appliance, eventually we settled on sec=ntlmssp, however I believe the following are also possibilities: sec=ntlm, sec=ntlmv2, sec=ker5 and sec=ker5i

You may also want to consider using a credentials file rather than the username=xxx,password=xxxx in the /etc/fstab file if you want to get this past your security person 😉

PowervRA – Now available on OS X and Linux via PowerShell Core!

Back Story

For a while Craig and I have had a number of requests regarding offering OS X and Linux support to PowervRA, particularly since in case you weren’t aware PowerShell is now available on those OSs and 3rd party modules such as PowerCLI are heading towards supporting that. We first looked at offering this support for PowervRA when the first Alpha release of PowerShell Core was shipped, however we were blocked by a couple of issues, particularly this one regarding certificate checking.

However, back in December I read about how the guys who maintain PowerNSX had been able to offer PowerShell Core support and they had also been blocked by that same issue which has now been resolved. So we updated to PowerShell Core Alpha 14 and started testing again – it seemed that another blocking issue around JSON responses had also been resolved, so things were looking good.

As it turned out, there weren’t a significantly large amount of changes which actually needed to be made on our side – some changes to the Connect-vRAServer and Invoke-vRARestMethod functions to do different things depending on whether PowerShell Core is being used. The scale of community feedback to the alpha releases of PowerShell Core and the efforts of the PowerShell team at Microsoft look like they have had a great impact and covered off a lot of the issues we might have had and the feedback has been quickly taken into subsequent alpha releases.

We benefited from the fact that we have previously invested quality time in producing integration tests for PowervRA, consequently we were able to run the same tests using a PowerShell Core client and only ended up with a couple of bugs that we are currently unable to resolve (here and here) , but looks like at least one of them is scheduled to be fixed for us via a milestone of PowerShell Core beta.

So in release 2.0.0 of PowervRA we are very pleased to bring you support for PowerShell Core!

Requirements

You will need:

PowerShell Core Alpha 14 + ….instructions on getting it installed for different OS flavours can be found here.

PowervRA 2.0.0 + . Get a copy of PowervRA onto the Linux  or OS X machine you want to run it from. Use the following to download it  from the PowerShell Gallery:

or manually copy the module yourself to one of the locations listed in $env:PSModulePath, for example:

In Action

OS X

Here’s PowervRA on my Macbook:

Connect to vRA

Retrieve Blueprint Details

Update a Reservation Policy

Ubuntu 16.04

Here’s PowervRA on Ubuntu 16.04:

Connect to vRA

Retrieve Business Group Details

Update a Network Profile

 

Docker

Craig has done some cool work to make PowervRA available via Docker. Check out his blog post for more details.

Also, many thanks to Alan Renouf for suggesting PowervRA now be made available hosted in the PowerCLI Core Docker Hub too.

Side Note

In PowervRA 2.0.0 we have also made some under the hood changes that it is worth being aware of (check the changelog for more details):

  • Module Restructure Part 1: we changed the functions from being their own individual nested modules in *.psm1 files to more simply being in *.ps1 files and made part of the module in a different way. This was a way I had historically put my modules together, but now have spent some time improving on it to a better way.
  • Module Restructure Part 2:  a number of functions had been marked in recent releases as deprecated, they have now been removed.
  • Module Restructure Part 3: we had previously started moving the functions into folders based on their API endpoint, this is now complete across all of the functions:

Issues

We believe we have covered off most issues with using PowervRA on PowerShell Core via our testing process, but if you do experience anything we have missed then please let us know here.

We are aware of one issue with running PowervRA on CentOS, which appears to be something not just relevant for us and should get fixed upstream in .Net Core.

Summary

We’re really pleased to be able to bring this support to PowervRA and much kudos to the PowerShell team and the wider community for making it both possible and relatively straightforward. We hope you find it useful given we know a significant part of our potentially user base are OS X users.

Also stay tuned because we are not stopping there. There is other planned new PowervRA functionality on the horizon ……

Using Pester and PowervRO as a Unit Test Framework for vRO

vRealize Orchestrator doesn’t have an in-built Unit Test Framework, however I realised that it might be possible to use a combination of Pester and PowervRO for now to achieve similar results. Let’s take a look at an example using a very simple workflow, Workflow1. Workflow1 has two inputs, a and b, both numbers:

unittest01

Workflow1 has a single scriptable task that takes the inputs a and b, multiples them together and stores the result in c, which is output from the workflow.

unittest02

We can write the following PowerShell based test using the Pester framework and PowervRO to test that the result of running Workflow1 with inputs of a and b, should be the value we supply for c. We make a connection to the vRO Server in question, invoke the workflow and then check the result:

We can supply variables to the test via a JSON file, so its simple to then take this test to other vRO servers, or change the values we are testing:

Now we can invoke the Pester tests and check the results:

unittest03

Obviously this process could be scaled out to many more workflows with different inputs and outputs.

 

Change the MIME Type of a vRO Resource Element

When a file is imported into vRO to be used as a Resource Element, a MIME type is automatically set depending on what has been imported. For instance, in the below example a shell script has been imported, the contents of which will be used as part of some vRO automation – notice the MIME type has been set to application/x-sh.

mimetype01

This doesn’t really cause a problem in itself when using the Resource Element in a workflow, however vRO doesn’t display the content of all MIME types when looking at the file in the Viewer tab and may display the message “cannot display this kind of element” instead – *.sh is one of those :

mimetype03

 

 

It is possible to change the MIME type of an existing Resource Element with the following code:

Drop that into a workflow and you can use it like this – supply inputs for which Resource Element and what MIME type to change it to. In this example we’ll use text/plain:

mimetype02

Upon successful completion of the workflow, the type should have changed:

mimetype04

and now the contents are viewable on the Viewer tab:

mimetype05

Create Blueprints in vRA7 with PowervRA

Update 29/09/2016:

The API documentation for importing a vRA Content Package contains a warning:

At this point, we don’t support any form of rollback strategies. A failed import may potentially leave the system in an inconsistent state. Hence, its highly recommend to run a precheck/dry-run before the import to validate the package. See HTTP POST /api/packages/validate for more details. This will help catch most of the errors upfront.

face-screaming-in-fearmonkey

Consequently, in release 1.3.1 we have added a new function Test-vRAContentPackage and included it by default in Import-vRAContentPackage. This should mitigate any issues with Importing a badly crafted Content Package, but you should of course test this before using in Production……

———————————————————————————————————————

A while back I wrote a post “Create Blueprints in vRA 7 via REST and via vRO” , with some details around automating vRA 7 Blueprint creation. Since that time Craig and I have published PowervRA, but in the initial releases I had some difficulty with providing the same functionality for PowerShell as I had in the previous post with REST and vRO.

However, thanks to some Ninja skills from Craig in our other project PowervRO, I was able to take the work we did over there around importing vRO Packages / Workflows etc via PowerShell and re-use it in PowervRA for a new function Import-vRAContentPackage, which is available in the latest release of PowervRA 1.3.0. Previous releases contained: New, Get, Remove and Export-vRAContentPackage, we just did not have the last piece of the puzzle: Import.

Example:

So here’s an example of how it works. In the previous article I showed how vRA Blueprints are bundled up into Content Packages and then exported to a zip file containing YAML files which each describe the Blueprints. We need to do the same when automating this process with PowerShell and PowervRA, so first of all we need to know the IDs of any Blueprints to add to the Content Package:

Now we create a Content Package containing the Id of the centos Blueprint that we wish to export:

and then export that Content Package to a zip file:

Take a look at the contents of the zip file and you will see that it contains a metadata.yaml file and a yaml file per Blueprint in a folder composite-blueprint:

powervra01

powervra02

Take a look at the contents of the centos.yaml file to see how a Blueprint is described:

Now we can either modify that file and import back into the same system if we want to change the existing Blueprint or we can take it further if we want to create more Blueprints. Let’s say we want to add a second, similar Blueprint. All we need to do is copy the existing centos.yaml file, make changes in it (I’ve just given larger CPU and memory values), then update the metadata.yaml file to reference the extra file. So they would end up like this:

centosb.yaml:

metadata.yaml:

Now create a new zip file containing the updated metadata.yaml file and the two blueprint yaml files:

powervra04

We can then import that zip file into a vRA Tenant. I’m going to use the Tenant that currently contains no Blueprints:

powervra03

Import the content package:

and we have two Blueprints 🙂

powervra05

centosb has those higher resource settings of 2CPUs and 2048MB memory which we changed in the yaml file:

powervra06

Exporting and Importing vRO Packages with PowervRO

One thing that I know colleagues and others are keen to automate with PowerShell and vRO is exporting and importing vRO packages. If you’re not familiar with a vRO package it is typically used to bundle up all of the Workflows / Actions / Configuration Elements / Resource Elements which make up the code for a particular project and use the package to transport the code to another system. So you may for instance wish to export a package and copy it to another vRO server or maybe into a version control system, or you may wish to automate the deployment of vRO itself and include importing the code as a final step.

PowervRO includes two functions to assist with this and potentially make use of for your automation of Packages, Export-vROPackage and Import-vROPackage.

To export a package we only need to supply the name of the vRO package and the file path to export it to:

 

powervro21

To import the package into another vRO system, transfer the file to the other system and run the following:

Before:

powervro22

powervro23

After:

powervro24

powervro25

 

Check the help for both functions for additional parameters covering fine tuning options that you might need as part of the export or import.

Export vRO Workflow Schema Images with PowervRO

Aside from any documentation around your vRO workflows, one of the best ways to quickly get up-to-speed with what it does and visualise how it is put together is to look at the schema. Wouldn’t it be handy if you could easily get hold of an image of the schema for one or multiple workflows? Well with PowervRO and your PowerShell console you can!

The REST API supports this, so we have included a function Export-vROWorkflowSchema . In this first example, we will export the Schema of a single workflow Test06.

We can then view the file on our desktop:

powervro19

Or if we want to export multiple vRO Workflow Schemata, say for all Workflows in a particular Category:

Happy Days 🙂

powervro20