Quick tip: VCD cell-management-tool without using credentials

Are you tired of constantly typing the password when executing cell-management-tool commands on VCD cells? Here is a quick tip on how to use the cell-management-tool without using credentials.

There is an option -i that allows you to execute commands using the pid (process id) instead of providing the system-administrator credentials.

How does it work?

  • first you retrieve the pid number
  • the -i option allows you to use the pid number to bypass the authentication (you were logged on with a user with administrative permissions anyway)

The following will display the activity (-t, or –status) on the VCD cell. If not using the pid method, one would use -u for the username, and then be prompted for the password.

You can find the cell-management-tool command line reference here (VCD 10.4).

Let’s take a look how it would normally work:

  • retrieve the pid number

Now we will use the pid number as a parameter to execute the command:

Let’s do some small optimization now. We will combine the two command into a one-liner. This will retrieve the pid at execution time.

Happy to share this quick tip. Now you can also execute the cell-management-tool without using credentials, and maybe be a less frustrated, having to type that password over and over again 😀 !

DO NOT USE -p option

The -p option allows you to specify your password on the command line. However, this will be shown in plain text, and will be stored in the cli history. Other system administrators might be seeing this history, and therefore also this password.

QUICK UPDATE: NSX ALB documentation

To be honest, I have been complaining some over the last year, or so, about the NSX Advanced Load Balancer documentation. Mostly that it was not easy to be found, and one was having to fall back on the avinetworks.com site, which was not great either.

On docs.vmware.com the navigation links were not existing. However, if and when you knew the page titles, you could search for them through search engines. That showed that a lot of those documentation pages were there, in fact, but only not visible with non-existing links.

However, since a couple weeks, there is a banner on the avinetworks.com site that 22.1.4 is the latest release that was documented on avinetworks.com.

NSX ALB documentation deprecation on avinetworks.com
NSX ALB documentation deprecation on avinetworks.com

This means that the single source of truth will be on the NSX Advanced Load Balancer page on docs.vmware.com (the link does redirect you to that location 😀).

Quick tip: if you want to search within a site through a browser, e.g. chrome, use the following as an example:

Quick tip: Setting up TrueSSO?

Are you setting up TrueSSO? Are you looking to use signed certificates to secure the communication between the Connection Server and the Enrollment Server?

Try to find the documentation on using signed certificates to secure that communication. I challenge you, you will not find it easily.

What and why?

You are allowing access to the Unified Access Gateway from the internet. You will want those services to have signed certificates to secure the communication, which will turn that icon in the Horizon client green. To enable end-to-end signed communication, you will need to make sure that you have certs all the way. In the end you are creating tunnels to backend services.

On top of that you want to add TrueSSO in the equation as you want a seamless sign-on experience. This means more certificates. You follow the guides (and all the blog posts that are built using this information), so you are almost there.

However, one step is exporting the ‘vdm.ec’ certificate from the Connection Server and import it on the Enrollment Server. That is exactly where the information is missing or at least hard to be found. None of them actually talk about CA signed certificates for this. You are doing this kind of effort to get all those components (Microsoft) CA signed. Don’t you think that you should use signed certificates here as well, if . I think so!

Where can I find the documentation

Here is the documentation on the VMware websites on setting up TrueSSO:

… and also some great blogs articles out there:

Search no more, you can find it here on the docs.vmware.com site, it is just in another section and a bit hard to find.

Photon OS 3.0 update the maximum failed OS login attempts

A client of mine was looking on how to update the maximum failed OS login attempts because they were having an issue with the monitoring solution locking the root user account on the VMware Unified Access Gateway 2212. This version of the UAG is based on photon OS 3.0.

He asked me to verify where to change the configuration to update the maximum failed OS login attempts. This is normally set at UAG deploy time and there is no option to change it afterwards easily.

Be aware that this is a rather unconventional change because these values shouldn’t be changed from the default, especially if you want to be compliant with CIS audits for example.

This is the default and also the line that you need to change

Open system-auth located in /etc/pam.d

  • deny=3

Change the deny=3 to the maximum value you want. If you change it to 0 (zero) it will never deny based on the maximum failed OS login attempts for all local users

  • even_deny_root

Leave it out if it shouldn’t deny the root user being locked out on the maximum failed OS login

  • unlock_time=86400

Default unlock time for all users

  • root_unlock_time=300

Unlock time for the root user account

Source: https://www.stigviewer.com/stig/vmware_vsphere_6.7_photon_os/2022-09-27/

Deleting the datastore where a content library is hosted is probably not the best idea

Deleting the datastore where a content library is hosted is probably not the best idea but … yes stupid error and now what. If you are not faint of heart (and now how to take a snapshot), you can rectify this. You should contact GSS as there is not documented solution and this might break.

Take a snapshot and verify if the vCenter backups are in a healthy status. Yes? Ok go ahead.

Log on to the vCenter and create a new Content Library and name it ‘i-made-an-error’. Use the new datastore you want to use and keep the rest of the settings default as these don’t really matter.

Open an SSH session to the vCenter and connect to the Postgress DB ‘VCDB’

To show which tables are present within the database:

Show an overview of the Content Libraries added ( make sure to add the trailing ;):

Show the Content Library entries in the vCenter database

Now that we have an overview of the Content Libraries, with the one that is throwing an error highlighted.

In the following overview we find the library id from the new Content Library we just added and also the corresponding storage id.

Database Content Library storage ids

I will update the storage id from the faulty one we found on the previous screenshot with the one we found for the new Content Library.

Update the storage id for the faulty Content Library

There are a couple of places that helped me in solving this: