VMware Hands-on Labs - HOL-1811-04-SDC


Lab Overview - HOL-1811-04-SDC - vSphere Security - Getting Started

Lab Guidance


Note: It will take more than 90 minutes to complete this lab. You should expect to only finish 2-3 of the modules during your time.  The modules are independent of each other so you can start at the beginning of any module and proceed from there. You can use the Table of Contents to access any module of your choosing.

The Table of Contents can be accessed in the upper right-hand corner of the Lab Manual.

Lab Module List:

 Lab Captains:

 This lab manual can be downloaded from the Hands-on Labs Document site found here:

http://docs.hol.vmware.com

This lab may be available in other languages.  To set your language preference and have a localized manual deployed with your lab, you may utilize this document to help guide you through the process:

http://docs.hol.vmware.com/announcements/nee-default-language.pdf


 

Location of the Main Console

 

  1. The area in the RED box contains the Main Console.  The Lab Manual is on the tab to the Right of the Main Console.
  2. A particular lab may have additional consoles found on separate tabs in the upper left. You will be directed to open another specific console if needed.
  3. Your lab starts with 90 minutes on the timer.  The lab can not be saved.  All your work must be done during the lab session.  But you can click the EXTEND to increase your time.  If you are at a VMware event, you can extend your lab time twice, for up to 30 minutes.  Each click gives you an additional 15 minutes.  Outside of VMware events, you can extend your lab time up to 9 hours and 30 minutes. Each click gives you an additional hour.

 

 

Alternate Methods of Keyboard Data Entry

During this module, you will input text into the Main Console. Besides directly typing it in, there are two very helpful methods of entering data which make it easier to enter complex data.

 

 

Click and Drag Lab Manual Content Into Console Active Window

You can also click and drag text and Command Line Interface (CLI) commands directly from the Lab Manual into the active window in the Main Console.  

 

 

Accessing the Online International Keyboard

 

You can also use the Online International Keyboard found in the Main Console.

  1. Click on the Keyboard Icon found on the Windows Quick Launch Task Bar.

 

 

Click once in active console window

 

In this example, you will use the Online Keyboard to enter the "@" sign used in email addresses. The "@" sign is Shift-2 on US keyboard layouts.

  1. Click once in the active console window.
  2. Click on the Shift key.

 

 

Click on the @ key

 

  1. Click on the "@ key".

Notice the @ sign entered in the active console window.

 

 

Activation Prompt or Watermark

 

When you first start your lab, you may notice a watermark on the desktop indicating that Windows is not activated.  

One of the major benefits of virtualization is that virtual machines can be moved and run on any platform.  The Hands-on Labs utilizes this benefit and we are able to run the labs out of multiple datacenters.  However, these datacenters may not have identical processors, which triggers a Microsoft activation check through the Internet.

Rest assured, VMware and the Hands-on Labs are in full compliance with Microsoft licensing requirements.  The lab that you are using is a self-contained pod and does not have full access to the Internet, which is required for Windows to verify the activation.  Without full access to the Internet, this automated process fails and you see this watermark.

This cosmetic issue has no effect on your lab.  

 

 

Look at the lower right portion of the screen

 

Please check to see that your lab is finished all the startup routines and is ready for you to start. If you see anything other than "Ready", please wait a few minutes.  If after 5 minutes your lab has not changed to "Ready", please ask for assistance.

 

Module 1 - Automating Password Complexity for ESXi Users (15 minutes)

Introduction


This module (Module 1 - Automating Password Complexity for ESXi Users) will show administrators how they can automate security policy on all of their ESXi hosts. For this module, we will be setting password complexity for users on the vSphere hosts. However, the intent is to show how this method can be applied to all security policies an administrator would like to automate. So imagine you had one complete script that enforced all of the security guidelines for ESXi. On day zero of provisioning ESXi hosts, you would be in compliance. This will reduce the overall operating expense of securing the Software Defined Data Center.

ESXi Passwords and Account Lockout:

For ESXi hosts, you have to use a password with predefined requirements. You can change the required length and character class requirement or allow pass phrases using the Security.PasswordQualityControl advanced option. ESXi uses the Linux PAM module pam_passwdqc for password management and control. See the manpage for pam_passwdqc for detailed information.

Note: The default requirements for ESXi passwords can change from one release to the next. You can check and change the default password restrictions using the Security.PasswordQualityControl advanced option.

 ESXi Passwords:

ESXi enforces password requirements for access from the Direct Console User Interface, the ESXi Shell, SSH, or the VMware Host Client. By default, you have to include a mix of characters from four character classes: lowercase letters, uppercase letters, numbers, and special characters such as underscore or dash when you create a password. Passwords cannot contain a dictionary word or part of a dictionary word.

Note: An uppercase character that begins a password does not count toward the number of character classes used. A number that ends a password does not count toward the number of character classes used.

 Example ESXi Passwords:

The following password candidates illustrate potential passwords if the option is set as follows:  retry=3 min=disabled,disabled,disabled,7,7

With this setting, passwords with one or two character classes and pass phases are not allowed, because the first three items are disabled. Passwords from three- and four-character classes require seven characters. See the pam_passwdqc manpage for details.

With these settings, the following passwords are allowed:

 ESXi Pass Phrase:

Instead of a password, you can also use a pass phrase; however, pass phrases are disabled by default. You can change this default or other settings, by using the Security.PasswordQualityControl advanced option from the vSphere Web Client.

For example, you can change the option to the following:  retry=3 min=disabled,disabled,16,7,7

This example allows pass phrases of at least 16 characters and at least 3 words, separated by spaces. For legacy hosts, changing the /etc/pamd/passwd file is still supported, but changing the file is depreciated for future releases. Use the Security.PasswordQualityControl advanced option instead.

Changing Default Password Restrictions:

You can change the default restriction on passwords or pass phrases by using the Security.PasswordQualityControl advanced option for your ESXi host. See the vCenter Server and Host Management documentation for information on setting ESXi advanced options.

You can change the default, for example, to require a minimum of 15 characters and a minimum number of four words, as follows:  retry=3 min=disabled,disabled,15,7,7 passphrase=4

See the manpage for pam_passwdqc for details.

Note: Not all possible combinations of the options for pam_passwdqc have been tested. Perform additional testing after you change the default password settings.

ESXi Account Lockout Behavior:

Starting with vSphere 6.0, account locking is supported for access through SSH and through the vSphere Web Services SDK. The Direct Console Interface (DCUI) and the ESXi Shell do not support account lockout. By default, a maximum of ten failed attempts is allowed before the account is locked. The account is unlocked after two minutes by default.

 Configuring Login Behavior:

You can configure the login behavior for your ESXi host with the following advanced options:

See the vCenter Server and Host Management documentation for information on setting ESXi advanced options.

 This Module contains the following lesson:

 


 

Script We will Execute (password.ps1)

NOTE: Below is the contents of the password.ps1 script we will be running against our ESXi hosts to set the password complexity on them.

#Set password policy

Connect-VIServer -server vcsa-01a.corp.local -user administrator@vsphere.local -password VMware1!

#Get the list of connected ESXi hosts

$VMHosts = Get-VMHost | Where {$_.ConnectionState -eq "Connected"}

#Set the password policy

$passwordpolicy = "retry=3 min=disabled,disabled,disabled,7,7"

#Loop through the lists of hosts and set the advanced setting

foreach ($VMHost in $VMHosts) {Get-AdvancedSetting -Entity $VMHost -Name Security.PasswordQualityControl |Set-AdvancedSetting -Value $passwordpolicy -Confirm:$false}

 

Automate Password Complexity Policy


In this module, we will use PowerCLI to run a script (password.ps1) against (2) hosts in a single cluster to set the password policy on them. Using PowerCLI commands is a quicker, easier, and less demanding on resources way to make bulk changes to host password policies. So for environments with numerous hosts such as (20) or more, this is a more effective way of making the change on the hosts then doing it in the web client on each individual host.


 

Launch PowerCLI

 

1. Double-click on VMware vSphere PowerCLI Icon.

 

 

Clear Screen

 

Type the following command to clear the screen:

cls

 

 

Search For password.ps1 Script

 

1. Type the following command to change to the HOL-1811 directory.

cd C:\LabFiles\HOL-1811\

2. Type the following command to list all files in the HOL-1811 directory.

ls

3.  You should see the script named password.ps1

This script contains the following code, which leverages the advanced ESXi settings to change the complexity. For ESXi hosts, you have to use a password with predefined requirements. You can change the required length and character class requirement or allow pass phrases using the Security.PasswordQualityControl advanced option.

We see here all the lines of code that is in the password.ps1 script:

#Set password policy

Connect-VIServer -server vcsa-01a.corp.local -user administrator@vsphere.local -password VMware1!

#Get the list of connected ESXi hosts

$VMHosts = Get-VMHost | Where {$_.ConnectionState -eq "Connected"}

#Set the password policy

$passwordpolicy = "retry=3 min=disabled,disabled,disabled,7,7"

#Loop through the lists of hosts and set the advanced setting

foreach ($VMHost in $VMHosts) {Get-AdvancedSetting -Entity $VMHost -Name Security.PasswordQualityControl |Set-AdvancedSetting -Value $passwordpolicy -Confirm:$false}

 

 

 

Execute password.ps1 Script

 

  1. Type the following command to execute the password.ps1 script:
./password.ps1

NOTE:   The "./" in the command we just performed represents run the command in the current working directory. If we were in a different directory and wanted to run the password.ps1 script, we would have to provide the entire path to the password.ps1 script. (e.g. 'PS C:\> cd C:\LabFiles\HOL-1811\password.ps1').

  1. Notice how we set the password complexity value to "retry=3 min=disabled,disabled,disabled,7,7"

The following password candidates illustrate potential passwords if the option is set to "retry=3 min=disabled,disabled,disabled,7,7". That means that passwords with one or two character classes and pass phases are not allowed, as indicated by the first three disabled items. Passwords from three and four character classes require seven characters.

 

 

Close PowerCLI

 

  1. Click on the red "X" on the PowerCLI window to close PowerCLI.

 

 

Launch Putty

 

1. Click on the Putty icon in the toolbar.

 

 

SSH to esx-01a.corp.local

 

1. Double-click on the on esxi-01a.corp.local server to open a connection to that host.

 

 

Clear Screen

 

  1. Type clear into the putty window to clear the screen to make it easier to see commands and give more screen space.

 

 

Verify Change Was Made

 

Because we double-clicked the esxi-01a.corp.local server in the saved settings, it automatically logged in as the root user account and with the correct password.

We are now at the command prompt and need to type the following commands:

  1. Type the following command to change directory to the pam.d folder:
cd /etc/pam.d
  1. Type the following command to print the lines of text in the passwd file:
cat passwd
  1. We should see your changes and the proper complexity settings loading with pam.

NOTE: Feel free to repeat Steps 1 - 2 with esx-02a.corp.local to see the change was made against that host as well.

 

 

Close Putty

 

  1. Click on the red "X" on the Putty window to close Putty.

 

 

Putty Exit Confirmation

 

  1. Click on the OK button.

 

 

Automate Password Complexity Policy - Complete

Using PowerCLI commands, we performed tasks to change the password complexity requirements using command-line instead of using a Graphical User Interface (GUI) like most do. We then verified the changes were successfully made by connecting to the hosts via putty to verify the changes.

 

Conclusion


Congratulations on completing Module 1!

Leveraging scripts to re-mediate security policies that our out of compliance is a key way  to reduce the overall security risk of the Software Data Center and lower the associated operating expense of securing your systems. In this module we took some time to see how we can leverage powerCLI to automate password complexity settings, this also can apply to a myriad of security settings.

Proceed to the next module (Module 2 - Forensic Security with vRealize Log Insight), or feel free to skip to any other module below which interests you most.


 

Automating Password Policy Resources:

NOTE: Because the lab environment typically does not connect out to the internet, you will not be able to connect to the below links from the lab environment. The links are meant to be provided so you can save the links to refer at a later time. Feel free to take a picture with your cell phone to save the list of links to refer to later.

 

 

OPTIONAL: How to End the Lab

 

NOTE: Understand that when you click the END button in the lab, it will close out the lab and delete the associated virtual machines. This means when the lab is re-launched, it will create a new lab instance with new virtual machines, not the ones used previously. Any and all previous settings will be lost and they will be back to the default settings from when the lab is first deployed.

You can now continue on to the next module by clicking forward, or use the Table of Contents to skip to another desired Module.

If you'd like to end your lab, click on the END button.

Note: If you end your lab, you will need to re-register for the lab in order to take any other modules.

 

Module 2 - Forensic Security with vRealize Log Insight (30 minutes)

Introduction


This module (Module 2 - Forensic Security with vRealize Log Insight) shows how a vSphere administrator can use the new logging capabilities in vSphere 6.5 and vRealize Log Insight to show who actually did what in vCenter. This module will also show how we can create a custom dashboard to give administrators a rapid view of whom rebooted a virtual machine as well as valid and unauthorized login attempt to ESXi. We also explore the security dashboards from the Linux Content Pack.

Prior to 6.5, actions taken at the vCenter level by a named user would show up in ESXi logs with the “vpxuser” username.

 In 6.5, all actions taken at vCenter against an ESXi server now show up in the ESXi logs with the vCenter username

This Module contains the following lessons:


 

Actionable Logging

 

In vSphere 6.5 you can see that now the log information is actionable. We see that the administrator account has moved the VM from the PCI-vSwitch  to the Non-PCI vSwitch. This could just as easily be from the Secure Network to the Unsecured Network. The point here is that this is a security event.

vRealize Log Insight can parse this and create an alert. Why is this important? Because now an IT manager can be alerted immediately when a virtual machine is now out of scope for security.

NOTE: This is a general example and does not relate the existing lab environment.

 

Getting to Know the User Interface of vCenter Server 6.5


In this lesson, we will provide an overview of the vCenter server user interface in regards to its security focused changes. vSphere 6.5 introduces audit quality logging. Prior to 6.5, logs were more focused on "troubleshooting" and not on IT operations or security use cases. For example, if a virtual machine was reconfigured from one network to another network, the most that would come out of the log would be "Virtual Machine <name> reconfigured". While accurate, it was incomplete.

 Logs coming from vCenter via Syslog will be enriched with data from vCenter Events. These logs will clearly show "Before" and "After" setting changes.  This enhances the ability of IT and Security administrators to troubleshoot issues by providing exactly what changed in the vSphere environment. In the image below, the virtual machine has been moved from a network labeled "PCI-vSwitch", inferring that the network is in scope for secure Payment Card Industry network traffic, to the "Non-PCI-vSwitch".

Today in vSphere 6.5 and below, when we make a change to a virtual machine, we only get the “Mike Foley reconfigured this VM” type of message. Why is this bad, because it’s not actionable. Was it something that has security implications? Did you move it from a secure network to an unsecure network?

Can Log Insight help in this scenario?? No, vRealize Log Insight and any other syslog collector can only act on the information it receives.

A virtual machine that is in scope for PCI being moved off of a PCI network to a non-PCI network would be a serious security issue. With the enhanced logging available in vSphere 6.5,this notification would go directly via SYSLOG to the logging solution where it would be parses and an alert could be generated, informing those concerned of the serious situation.

 For vSphere 6.5,the logging of not only virtual machine changes but all vSphere changes have been improved. Changes to vCenter roles and permissions, datastore browsing functions like downloading a VM and actions such as creating and modifying vCenter clusters and hosts are all included in the enhanced logging.

 For those used to 5.x and 6.0 logging, these changes come with no need to increase the logging level beyond "info" nor do they add any measurable load to vCenter or add to the vCenter database. This is because the information has already been recorded as part of the existing vCenter event.Enhanced logging exposes this information via the Syslog stream. Troubleshooting and support logs are unaffected and will still be used by support as necessary.


 

Open Google Chrome

 

If Google Chrome is not already open, you can either:

  1. Double-click the Google Chrome icon on the Main Console Desktop.
  2. Or click the Google Chrome icon on the Quick Launch bar.

NOTE: If Google Chrome is already open, continue onto the next step.

 

 

RegionA vCenter Server

 

Do the below step If you are opening a new Google Chrome browser window, otherwise, you can skip this step:

  1. Click on the RegionA vCenter Bookmark located on the Bookmark Toolbar.

 

 

Log Into RegionA vCenter Server

 

  1. Type administrator@corp.local in the username text field.
  2. Type VMware1! in the password text field.
  3. Then click on the Login button.

 

 

Home

 

  1. Click on the Home icon at the top of the content pane,
  2. Click on Home in the drop-down menu.

 

 

Default Home View

 

When in the Home view, we see the list of different object group types in the left navigation pane such as Hosts and Clusters, VMs and Templates, Storage, Networking, Policies and Profiles, and much more. On the right side is the content pane which has several section to it:

  1. We have the Inventories section which is a commonly used section with Hosts and Clusters, VMs and Templates, Storage, Networking, etc.
  2. We have the Operations and Policies section. with Tasks, Events, VM Storage Policies, etc.
  3. We have the Administration section which has Roles, System Configuration, Licensing, etc.
  4. And finally we have the Plug-ins for Installation section for plug-ins such as vRealize Orchestrator, the Hybrid Cloud Manager, and much more.

NOTE: Depending on what other VMware solutions are installed into the environment, you could see additional icons in the Home view.

 

 

Global Inventory List

 

  1. Click on the Global Inventory Lists in the left Navigation Pane.

 

 

vCenter Home View

 

Now we see the vCenter Home view which provides a list of all of the object types in the vCenter server.

  1. Click on the vCenter Servers object in the left Navigation Pane.

 

 

vCenter Server System Logs

 

In order to see the system logs for the vCenter Server, we need to first select the vCenter Server that we want to see the logs for since we have more than one vCenter Server. Then we will need to make a few other selections to get to the log files themselves.

  1. Click on the vcsa-01a.corp.local vCenter Server in the left navigation pane.
  2. Click on the Monitor tab on the content pane.
  3. Click on the System Logs tab.

We see the default log that come up is the vCenter Server Log [vpxd-345.log], but there is a drop-down to select the different vCenter Log files.

NOTE: The log files in the lab environment may reflect differently than what is in the screen capture.

 

 

Selecting Other Log Files

 

At this point, we want to look at another vCenter Server log, specifically the vpxd.log.

  1. Click on the vCenter Server logs drop-down menu and select the vCenter Server log [vpxd.log].
  2. We see that the log files or more descriptive than they were in previous versions of the vCenter server. Although you most likely won't see this in the lab environment, we see in this screen shot the log says that the esx-02a.corp.local host doesn't support any EVC mode.

 

 

Exporting System Logs

 

For many administrators, especially ones that do not have a log analysis solution such as VMware's vRealize Log Insight solution, being able to export the logs is an important feature to have. As we see here, there is an easy way to export any of the logs that we need to export.

  1. Click on the Export System Logs button.

 NOTE: The log files in the lab environment may reflect differently than what is in the screen capture.

 

 

Exporting System Logs - Select Host(s)

 

Now we have the opportunity to select which vSphere host(s) we want to export their logs. For our sake we will export just one of the hosts system log files as well as the vCenter Server and vSphere Web Client logs.

  1. Click on the check box next to esx-01a.corp.local to select that specific host.
  2. Click on the check box next to Include vCenter Server and vSphere Web Client logs to include these log files in the export. (selecting this greatly increases the size of the file)
  3. Click on the Next button.

NOTE: If the names of the hosts in the screen capture are different than what we see in the lab environment, check to be sure we are logged into the correct vCenter server.

 

 

Select The Logs

 

Here we are able to get specific on which log files we want to export. Some of the examples of the log files are the System, Performance Snapshot, Installer, Virtual Machines, and much more. We have the ability to also gather performance data for a set amount of time and set a password to encrypt the core dump files.

  1. Scroll down the page until we can see the Network check box.
  2. De-select the Network check box.  
  3. Click on the Gather performance data check box and keep the default settings for it.
  4. We will not actually export the logs due to time and disk space, click on the Cancel button.

NOTE: We didn't click Finish because of the time and space it would take to gather the log files. This was just meant to show us how to go about exporting log files and what options we can select to capture.

 

 

Show Line Numbers

 

When looking at log files, it can be hard to distinguish between where one ends and then next one begins, so we have provided the option to add line numbers to the logs to assist with this.

  1. Click on the Show line numbers check box.
  2. We now see the line numbers making it easier to see where the next log file begins.
  3. We also see we can Show Next 2000 Lines and Show All Lines if we want. Feel free to click on them if you want to see the results.

NOTE: The log files in the lab environment may reflect differently than what is in the screen capture.

 

 

vSphere Web Client

At this point, we are done using the vSphere Web Client. However, leave it open for the next lesson since we will be using it again.

 

 

Getting to Know the User Interface of vCenter Server 6.5 - Complete

We have completed this lesson which ran through vCenter servers user interface in regards to show updates to security aspects such as log files, events, etc. We also ran through the process of how to export log files in the event we need to do this.

 

An Overview of the vCenter Server 6.5 Logs


vSphere 6.5 introduces audit quality logging. Prior to 6.5, logs were more focused on "troubleshooting" and not on IT operations or security use cases. For example, if a virtual machine was reconfigured from one network to another network, the most that would come out of the log would be "Virtual Machine <name> reconfigured". While accurate, it was incomplete.


 

Default vCenter Server View

 

The vSphere Web Client should still be open from the last lesson, if not, please relaunch Google Chrome and log into vcsa-01a.corp.local.

  1. Click on the Home icon at the top of the content pane.
  2. Select Global Inventory Lists from the Home drop-down menu.

 

 

vCenter Home View

 

Now we see the vCenter Home view as well as the numerous other objects. We want to go to the list of vCenter Servers.

  1. Click on the vCenter Servers object in the left navigation pane.

 

 

Select vcsa-01a.corp.local

 

  1. Click on the vcsa-01a.corp.local vCenter server in the left Navigation Pane.

 

 

vCenter Server System Issues

 

For administrators, troubleshooting can be cumbersome and time consuming. but VMware is making it easier for administrators by offering information to help find the issues quicker. This first way they do that is by providing an Issues tab to bring to light ongoing issues. To look at the issues:

  1. Click on the Monitor tab in the content pane.
  2. Click on the Issues tab in the Content Pane.

We see that when we click on the Issues tab, it opens up to the All Issues selection. But we also provide the Triggered Alarms and Alarm Definitions selections as well. Because this is a lab environment, there aren't any issues being reported at this time in the screen capture. The lab environment we are working in may or may not show some issues. However, in a live production environment, you more than likely would see some listed.

NOTE: The Issues listed in the screen capture may be different than what you see in the lab environment.

 

 

vCenter Server Tasks & Events

 

In the Tasks & Events tab, you see tasks such as rescans of the VMFS volumes and the HBA's. The Events section shows events such as when a user has logged in/out or made changes and much more. the Scheduled Tasks shows any scheduled tasks that you have created. Again, being a lab environment, we do not have any scheduled tasks configured.

  1. Click on the Tasks & Events tab.
  2. Click on Events to look at any potential tasks that may be listed.
  3. Then click on Scheduled Tasks to see what scheduled tasks are lised.

NOTE: The Tasks and Events listed in the screen capture may be different than what you see in the lab environment.

 

 

vCenter Server System Logs

 

The vCenter System Logs is a very important tool for any administrator to get detailed information on what is going on in their vSphere environment. The vCenter Server Logs in version 6.5 are more detailed than previous versions, so they provide much more detail in the logs to assist administrators to get to the root of any issues.

  1. Click on the System Logs tab and review the logs.

NOTE: The system logs listed in the screen capture may be different than what you see in the lab environment. We will look closer at the System Logs in the next section of the lab.

 

 

vCenter Server Sessions

 

Sometimes, administrators want to know what and who are connected to the vCenter Server and want to see these open sessions. In order to see these open sessions:

  1. Click on the Sessions tab and review the session information.

NOTE: The Sessions listed in the screen capture may be different than what you see in the lab environment.

 

 

vSphere Web Client

At this point, we are done using the vSphere Web Client. However, leave it open for the next lesson since we will be using it again.

 

 

vCenter Server User Interface Overview - Complete

Congratulations on completing the An Overview of the vCenter Server 6.5 Logs section of Module 2!

Hopefully this overview of the vCenter Server user interface related to security such as log file, events, tasks, etc. Although system logs tend to be the most important to look at from a security perspective, looking at the other areas can also be very valuable.

 

 

Intro Information on Log Insight Capabilities Beyond Log Insight for vCenter


This lab will demonstrate new audit enhancements for vCenter server inventory changes with vCenter Events and SysLog messages. The lab will also demonstrate the improved event logging in both vCenter and ESXi servers. You will experience a new syslog stream with events based on structured data from the vCenter database.


 

RegionB vCenter

 

We will now log into the vcsa-01b.corp.local vCenter server.

  1. Click on the RegionB vCenter bookmark in the Bookmark toolbar of Google Chrome.

 

 

Log Into RegionB01 vCenter Server

 

If the RegionB vCenter server is already open in a Google Chrome tab, we can skip Steps 1 - 3, otherwise complete the below steps:

  1. Type administrator@vsphere.local in the User name field.
  2. Type VMware1! in the Password field.
  3. Click the Login button.

 

 

VMs and Templates

 

We will need to create a new virtual machine, in order to do that:

  1. Click on the Home Button at the top of the page.
  2. Click on VMs and Templates from the drop-down menu.

 

 

Tiny-VM Template

 

  1. If need be, click on the arrow next to the vcsa-01b.corp.local vCenter server and expand everything until you see the list of the virtual machines.
  2. Right-click on the Tiny-VM Template in the left navigation pane.
  3. Select New VM from This Template from the drop-down menu.

 

 

Create a New VM - Create name and location

 

  1. Type My Encrypted VM1 in the Enter a name for the virtual machine text field.
  2. If need be, click the drop-down arrow next to the vcsa-01b.corp.local vCenter server, then click on the RegionB01 datacenter.
  3. Click on the Next button.

 

 

New Virtual Machine Wizard - Select a resource

 

  1. Select the source RegionB01-COMP01 to select that cluster as to where we want to place the virtual machine.
  2. Click on the Next button.

 

 

New Virtual Machine Wizard - Select storage

 

Here we will select what datastore to place the virtual machine on. We will select Thin Provisioning in order to conserve on disk space in the lab environment. We also will leave the default storage policy at this time.

  1. Select Thin provision in the drop-down menu for Select virtual disk format.
  2. Select the RegionB01-ISCSI01-COMP01 datastore.
  3. Click on the Next button.

 

 

New Virtual Machine Wizard - Select clone options

 

For the Clone Options, we will keep the defaults since we have no need to customize the operating system or the hardware at this time. We also do not need the virtual machine to be powered on for what we are doing, so we will leave it off to conserve on the lab environment's resources.

  1. Keep the default settings and click on the Next button.

 

 

New Virtual Machine Wizard - Ready to complete

 

  1. Review all of the settings to be sure we selected the correct ones, then click on the Finish button to create the virtual machine.

Note:  Leave the virtual machine powered off as we are going to change some settings on it to trigger events.

 

 

My Encrypted VM1 - Edit Settings

 

At this point, we want to make some changes to the newly created virtual machine so that it will trigger some logs that we can go and look at.

  1. Right-click on the My Encrypted VM1 virtual machine.
  2. Select Edit Settings from the drop-down menu.

NOTE: The list of virtual machines may be slightly different than what is in the screen shot compared to the lab environment.

 

 

My Encrypted VM1 - Change CPU / Memory settings

 

We will not change the CPU and Memory resources to different values so it will trigger log files that we can review.

  1. Change the CPU value from 1 to 2.
  2. Change the Memory value from 64 to 96.
  3. Click on the OK button.

 

 

My Encrypted VM1 - Look at Events Generated

 

  1. Be sure we still have the My Encrypted VM1 selected in the left navigation pane, then click on the Monitor Tab in the content pane.
  2. Click on Tasks & Events tab in the content pane.
  3. Select Events in the content pane.
  4. Look for Reconfigured virtual machine in description. You can resize columns to view the entire description if necessary.

 

 

Minimize Widgets

 

We will now minimize all the widgets to give us more screen real estate in the Content Pane.

  1. Click on the Pin icon to minimize the Work In Progress widget.
  2. Click on the Pin icon to minimize the Alarms widget.
  3. Click on the Pin icon to minimize the Recent Tasks widget.
  4. Click on the Pin icon to minimize the Recent Objects widget.

 

 

My Encrypted VM1 - View the Event Description

 

Remain highlighted on the Reconfigure Virtual Machine event record.

  1. If need be, scroll down the page until we can see all the details of the event.
  2. Confirm the CPU and Memory properties were changed.

Note: In this version of vSphere, we improved over 30 existing events for better auditing. The Reconfigure Virtual Machine event which we are demonstrating is just one of them.

 

 

View Logs in vRealize Log Insight

 

We are now going to go and log into the vRealize Log Insight server.

  1. Click on the New Tab button in Google Chrome to open a new tab.
  2. From within In the new tab, click on the vRLI bookmark in the Bookmark Toolbar.

 

 

Log into vRealize Log Insight

 

  1. Click the arrow and select Default (built-in) from the drop-down menu.
  2. Type admin for the User name text field.
  3. Type VMware1! for the Password text field.
  4. Click on the LOGIN button.

 

 

Interactive Analytics Tab

 

  1. Click on the Interactive Analytics tab at the top of the Content Pane.

 

 

Find Event Change Logs

 

We want to find the change log from when we changed the resources on the My Encrypted VM1 previously. In order to do that, we will use the search function in the vRealize Log Insight interface to find it.

  1. Type My Encrypted VM1 in the search field.  You will notice that as soon as you start to type, Log Insight present auto fill choices from all the logs that have already been digested
  2. Click the Time drop-down menu and select Latest hour of data. You can select other increments of time as needed to find the associated logs.
  3. Click the Magnifying Glass (search) icon to perform the search.
  4. You will notice that you now have any and all the logs that include the My Encrypted VM1 text. You should see the log entries for changing the CPU and memory for the My Encrypted VM1 virtual machine.

 

 

Conclusion

This lesson demonstrated showed the enhancements in vCenter Server log files and how they offer more detailed information than we had in previous versions making troubleshooting much easier for administrators. Besides the log files, we also covered vCenter Server Issues, Tasks and Events, and Sessions. These can also be useful when troubleshooting an issue within a vSphere environment.

And finally, we showed a quick overview of vRealize Log Insight's ability to provide an even faster and simpler way to view, search, and correlate logs in an environment.

 

Perform Security Audit Actions


Before we get started analyzing the data from within vRealize Log Insight, we will need to perform some security audit actions to mimic events that may occur inside of an organization.

We will restart a virtual machine from the vCenter Server interface as well as log into an ESXi host as root and logging into ESXi as an unauthorized user. We will be using ESXi to showcase this functionality, but the systems could also be any Windows or Linux operating system in addition to storage and network devices. vRealize Log Insight can consume logs from anywhere to include from both virtual and physical devices!


 

Open Google Chrome

 

If Google Chrome is not already open, you can either:

  1. Double-click the Google Chrome icon on the Main Console Desktop.
  2. Or click the Google Chrome icon on the Quick Launch bar.

NOTE: If Google Chrome is already open, continue onto the next step.

 

 

RegionB vCenter Server

 

Do the below step If you are opening a new Google Chrome browser window, otherwise, you can skip this step:

  1. Click on the RegionB vCenter bookmark in the Bookmark Toolbar.

 

 

Log Into the vCenter Server

 

If the RegionB vCenter server is already open in a Google Chrome tab, we can skip Steps 1 - 3, otherwise complete the below steps:

  1. Type administrator@corp.local in the User name field.
  2. Type VMware1! in the Password field.
  3. Click on the Login button.

Note: If you take this Module before the other modules in this lab, then logging in my take a minute or two while vCenter loads.

 

 

Switch to vSphere Web Client Tab

 

If the tab for the vSphere Web Client is still open:

  1. Click on the vSphere Web Client tab to return to the vSphere Web Client.

 

 

Navigate to VMs and Templates

 

Once we are back in the vSphere Web Client:

  1. Click on the Home icon at the top of the browser page.
  2. Select Home from the drop-down menu.

 

 

Hosts and Clusters

 

Once the Home page finishes loading:

  1. Click on the Hosts and Clusters icon.

 

 

Start My Encrypted VM1

 

 We now want to power on the My Encrypted VM1 virtual machine by performing the following tasks:

  1. Click on the arrow next to the vcsa-01b.corp.local vCenter server and expand it out until you can see all the virtual machines.
  2. Click on the My Encrypted VM1 virtual machine.
  3. Then click on the green Power on the selected virtual machines icon at the top of the content pane.

 

 

Confirm My Encrypted VM1 Started

 

At this point we want to make sure the My Encrypted VM1 virtual machine is fully up and running by performing the following tasks:

  1. While still having My Encrypted VM1 selected, click on the Summary tab in the Content Pane.
  2. Verify that the virtual machine is fully up and running in the window and that is says Powered On at the bottom of the window.

NOTE: We may need to give it a minute to fully come up and we may need to refresh the vSphere Web Client to see that the virtual machine looks like the screen shot.

 

 

Restart My Encrypted VM1

 

We now want to reboot the My Encrypted VM1 virtual machine so we can have a log file created for the reboot action.

  1. Click on the My Encrypted VM1 virtual machine.
  2. Click on the icon with the red and green arrows in a circle to Restart the guest operating system of the selected virtual machine.

 

 

Confirm My Encrypted VM1 Restart

 

  1. Click Yes to confirm the guest restart.

NOTE: You are now done performing tasks inside of the vSphere Web Client. For the moment, you can minimize Google Chrome browser if you want because you will need to use again in the next lesson.

 

 

Open Putty

 

We are now going to connect to a host via the application Putty. The purpose of this is to again create new user login logs that we can search for.

  1. Click the putty icon in the Windows Taskbar to launch the Putty application.

 

 

Login to esx-01b.corp.local as root

 

We will now log into esx-01b.corp.local as root using a saved session that also has the correct password already saved.

  1. Click on the esx-01b.corp.local in the Saved Sessions field.
  2. Then click on the Open button.

 

 

Root Authentication

 

You now see that we were automatically logged into esx-01b.corp.local with the username root successfully authenticated with a public key.

 

 

New Putty Session

 

We are finished with this putty session and need to open a new putty session. This time we will not login in with the preconfigured session.

  1. To use the system menu of the application's icon, on the top left corner of the Putty window, click the icon and notice that a menu displays
  2. Select New Session...

 

 

Manually Re-connect to esx-01b.corp.local

 

This time, we will be manually typing the hostname in so we don't use the preconfigured username and password. We want to INTENTIONALLY log in with the INCORRECT information.

  1. Manually type esx-01b.corp.local in the Host Name field. (DO NOT use the saved sessions as we did earlier)
  2. Click the Open button.

 

 

Access Denied - admin

 

We will now purposefully attempt to login as the admin user account with a bad password.

  1. Type admin next to login as then press Enter on the keyboard.
  2. Type admin next to Password then press Enter on the keyboard.
  3. Exit ALL Putty sessions by clicking on red X in the top right corner of each window.

Note: Access denied is the desired response after Step 2.

 

 

Putty Exit Confirmation

 

  1. We get a Putty Exit Confirmation window, click the OK button to confirm closing the session for both of the sessions that we are closing.

 

 

Perform Security Audit Actions - Complete

That completed the Perform Security Audit Actions section of Module 2. We performed several actions that caused the creation of audit logs to include rebooting a virtual machine, connect to a host via Putty using both the correct and incorrect password. These logs can now be viewed from within the vRealize Log Insight solution in the next section.

 

Create Audit Query & Dashboard


VMware vRealize Log Insight delivers heterogeneous and highly scalable log management with intuitive, actionable dashboards, sophisticated analytics and broad third party extensibility, providing deep operational visibility and faster troubleshooting.

Intelligent and Extensible

Highly Scalable

Intuitive and Affordable

Free Log Insight for vCenter

NOTE: The links to VMware resources in the lab manuals are meant for reference purposes. The lab environment may or may not be connected to the internet, so you may not be able to view these resources. Feel free to either copy the link manually or take a picture using your mobile device in the event you are unable to reach the link that is provided.  


 

Open vRealize Log Insight

 

We should still have the tab open for vRealize Log Insight from the previous lesson, but if you don't:

1. Click the vRealize Log Insight bookmark from the bookmark toolbar.

NOTE: if we still have the vRealize Log Insight tab open, we can skip to the "Switch to vRLI Tab" step.

 

 

Log in to vRealize Log Insight

 

If you already have vRealize Log Insight open in a tab already, you can skip Steps 1 - 3. Otherwise continue with the below steps:

  1. Select the Default (built-in) option from the drop-down menu.
  2. Type admin into the User name field.
  3. Type VMware1! into the Password field.
  4. Click on the LOGIN button.

 NOTE: if we still have the vRealize Log Insight tab open, we can skip to the "Switch to vRLI Tab" step.

 

 

Switch to vRLI Tab

 

If you still have the vRealize log Insight tab open:

 

 

Dashboards

 

If not already on the Dashboards tab:

  1. Click on the Dashboards tab at the top of the user interface.

 

 

Dashboards General Overview

 

In the left Navigation Pane, we have several dashboard types. This list can vary depending on what VMware and 3rd Party Management Packs may be installed in vRealize Log Insight.  

  1. Custom Dashboards - Which include the My Dashboards and Shared Dashboards.
  2. Content Pack Dashboards -  These are the list of dashboards that have been installed via Content Packs.

NOTE: From within vRealize Log Insight, there is a link to the VMware Marketplace where we can find the various free and non-free VMware and 3rd party management packs. There are also management packs for VMware's other management solutions such as vRealize Operations Manager. The VMware Marketplace with the management packs for vRealize Log Insight can be found HERE.

 

 

Dashboards - Content Pane

 

Now let's look at the default Content Pane that is showing to the right of the Navigation Pane. We see some filtering options at the top of the Content Pane as well as numerous widgets below the filter options.

  1. Time Range. Here you can set the data time range from 5 minutes - 48 hours, or a custom time range, for the selected dashboard.
  2. Filters. Filters available to the selected dashboard are defined here, to focus the query only to relevant information.
  3. Widgets. The main panel contains Widgets for the selected dashboard. Widgets are a representation of the data selected in the preceding areas, displayed using graphs, charts, figures, and more.

NOTE: The various dashboards will most likely reflect slightly different data in them compared to the the screen shot.

 

 

Widget Information

 

In the upper right-hand corner of each widget, we see there are some option menus available.

The (3) options you have are:

 

 

Interactive Analytics

 

Interactive Analytics allows administrators and engineers to drill down into log messages to determine problem areas and to perform root cause analysis troubleshooting.

1. Click on Interactive Analytics tab.

 

 

Create Query

 

  1. In the query bar text field, type the word reboot.
  2. Click on + ADD FILTER link to add an additional search criteria.

 

 

Create Query

 

In the previous lesson, we powered on the My Encrypted VM1 virtual machine and then rebooted it. Now we will do a search for the log that reflects the reboot of the virtual machine. To do the search for the reboot task we accomplished:

  1. In the filter, search for text and select contains drop-down, and type administrator for the search criteria.
  2. Change the time range from Latest 5 minutes of data to the Latest hour of data.
  3. Click the Magnifying glass to search for the criteria that you entered.
  4. We now see the logs which reflect the reboot of the My Encrypted VM1 virtual machine was performed by the Administrator account.

Note: vRealize Log Insight provides suggested queries and phrases based on indexed log files when typing for each input.  

 

 

Create Dashboard Based On Query

 

A very useful feature within vRealize Log Insight is the ability to create dashboards from queries we perform. So if an administrator has a query that they run on a daily basis, they can create a dashboard from a specific query. That enables the user to just review the dashboard without the need to run the query each time.

To create our own dashboard from the query we just ran for the reboot, perform the following tasks:

  1. Click the "Add current query to dashboard" button to save the query we just completed.

 

 

Save Dashboard

 

  1. Type Administrator Reboot Dashboard in the Name field.
  2. We will keep the defaults for the Dashboard and Widget drop-down menus as well as not enter any Notes into the text field.
  3. Click on the Add button.

NOTE: Feel free to take a look at the Dashboard and Widget drop-down menu options to see what the different options are.

 

 

Navigate to Dashboards

 

Now we will return to the Dashboards tab to go and look at the Administrator Reboot Dashboard that we just created.

  1. Click the Dashboards tab at the top of the screen.

 

 

Navigate to My Dashboards

 

  1. Under Custom Dashboards, click on the My Dashboards drop-down arrow to expand it so we can see the Dashboard 1 dashboard.
  2. Then click on the Dashboard 1 link.

 

 

Administrator Reboot Dashboard

 

vRealize Log Insight users have the ability to create custom dashboards and queries for a variety of items based on their needs. The out of the box content packs provide an idea of some common scenarios, but think about what other dashboards might be important to you.

  1. Click on the drop-down arrow to adjust the time value to Latest hour of data. If there are too many events, you can always reduce it down to a lower amount of time.
  2. Here we can see the new widget called Administrator Reboot Dashboard that we created from the Interactive Analytics screen that now exists in Dashboard 1. We should see the one entry of data from when we rebooted the virtual machine earlier.

NOTE: What you see in the widgets in the lab environment most likely will look different with the amount of data shown for that time period.

 

 

Create Audit Query & Dashboard - Complete

In this lesson on how to Create Audit Query & Dashboard, we did a query to look for a reboot action completed by the Administrator account. We then saw the entries for the reboot action. Then we saved that query as a dashboard and saved it to our My Dashboards dashboard. We also went to our My Dashboard and looked at the newly created widget on our Dashboard 1. vRealize Log Insight makes searching through logs, so much so it is like having a Google Search Engine to search for unstructured logs within vRealize Log Insight,  

For more information on using vRealize Log Insight, please take Module 4: Introduction to vRealize Log Insight of the HOL-1811-02-SDC Getting Started with vSphere with Operations Management lab.

 

Security Operations Center (SOC) Content Pack


In this lesson, we will walk through a vRealize Log Insight Content Pack that one of VMware's own created and has been certified by VMware to be used in vRealize Log insight. This content pack is all about providing useful day-to-day operational security awareness for the virtual administrators.

The Security Operations Center (SOC) content pack provides event notifications related to numerous security events such as:

We will change some configurations of hosts and virtual machines in order to cause events and see them in their related dashboards.


 

Launch Google Chrome

 

If Google Chrome is not already open, you can either:

  1. Double-click the Google Chrome icon on the Main Console Desktop.
  2. Or click the Google Chrome icon on the Quick Launch bar.

NOTE: If Google Chrome is already open, continue onto the next step.

 

 

vRealize Log Insight Bookmark

 

If the vRealize Log Insight tab is still open from the previous lesson, we can skip this step. Otherwise, perform the following step:

  1. Click on the vRLI Bookmark in the Bookmark Bar.

 

vRealize Log Insight should be still open and logged in from the last lesson. If it isn't, perform the following steps:

  1. Select Default (built-in) from the drop-down menu.
  2. Type admin for the User name.
  3. Type VMware1! for the Password.

 

 

Content Packs

 

We now want to go to where we can install a content pack into vRealize Log Insight.

  1. Click on the icon with the three lines in the upper right-hand corner of the interface.
  2. Then select Content Packs from the drop-down menu.

 

 

Import Content Pack

 

  1. Click on the + IMPORT CONTENT PACK link in the lower left-hand corner of the navigation pane.

 

 

Browse For File

 

  1. Click on the BROWSE button in the pop-up window.

 

 

Security Operations v1.0-RC7.vlcp

 

We have provided the Security Operations v1.0-RC7.vlcp file on the drive of the Control virtual machine we are working off of. To install this management pack, perform the following tasks:

  1. Browse to the following path:  "C:\LabFiles\HOL-1811\"
  2. Select the Security Operations v1.0-RC7.vlcp file.
  3. Then click on the Open button.

 

 

Install as content pack

 

  1. Keep the default value of Install as content pack.
  2. Click on the IMPORT button.

 

 

Security Operations Setup Instructions

 

  1. Click on the OK button on the pop-up window to complete the import of the content pack.

 

 

Security Operations Content Pack

 

After clicking the OK button, it brings you directly into the Security Operations content pack dashboard.

  1. In the content pane, we see the details related to this content pack such as the different widgets and widget types that have been automatically installed as a part of this content pack.
  2. Use the Scroll bar to scroll down the page so we can see all of the associated content pack information.

 

 

Alerts

 

  1. Click on the Alerts tab in the content pane to see all the pre-configured alerts that are a part of this content pack.

NOTE: In order to see all of the widgets in the content pane, we will need to scroll down the page or potentially to the right to see all content.

 

 

Security Operations Dashboards

 

  1. Click on the arrow next to Security Operations under Content Pack Dashboards to expand the list of dashboards for the content pack. By default, it opens up to the Activity dashboard.

NOTE: In order to see all of the widgets in the content pane, we will need to scroll down the page or potentially to the right to see all content.

 

 

vCenter Actions Dashboard

 

We see in the Content Pane two of the default widgets are the vCenter Administrator Actions and the Count of vCenter Actions by Username which should contain some events in them. Feel free to click on each one of them to look into the information in more detail.

NOTE: In order to see all of the widgets in the content pane, we will need to scroll down the page or potentially to the right to see all content.

 

 

Login/Logout & API Invocations Dashboard

 

  1. Click on the Login/Logout & API Invocations link in the left Navigation Pane to see the associated events.
  2. You will need to scroll down the page to see all of the dashboards under this group of dashboards.

NOTE: The information and events in the various dashboards may look different that what is currently in the lab environment.

 

 

Other Widgets

 

  1. Go through and click on the remainder of the preconfigured dashboards under Security Operations to get an idea of what each of the associated dashboards show.
    • Firewall Events
    • ESXi Config Changes
    • VM Configuration Changes
    • VMRC/MKS Events
    • Datastore Browser Events
    • Permission Changes

NOTE: being a lab environment, we will most likely not see any data in many of the dashboards. So we will need to make some changes to the lab environment in order to see some data in the dashboards.

 

 

vCenter Server Appliance Login

 

We now will log in and out of the vcsa-01b vCenter Server Appliance in order to create log files that we can view in the dashboards of the management pack.

  1. In the Google Chrome browser, click on the New Tab icon.
  2. Click on the HOL Admin bookmark folder in the Bookmark Toolbar.
  3. Then click on vcsa-01b.corp.local from the drop-down menu.

 

 

Log Into vCenter Server Appliance

 

  1. Type root into the Username text field.
  2. Type VMware1! into the Password text field.
  3. Click on the Login button to log into the vCenter Server Appliance.

 

 

Log Off the vCenter Server Appliance

 

  1. Click on the Logout link in the upper right-hand corner of the content pane.

 

 

Close vCenter Server Appliance Tab

 

  1. Click on the "X" on the VMware Appliance Management tab to close it since we no longer need it open.

 

 

Switch to vRealize log Insight

 

  1. Click on the browser tab for vRealize log Insight to return to it.

 

 

vRealize log Insight - Login/Logout & API Invocations

 

  1. Click on the Login/Logout & API Invocations in the left navigation pane.
  2. We see that there are (2) Login/Logout events in the widgets which reflect that we logged into the appliance and logged off.
  3. If by chance it takes you longer than (5) minutes to look at this dashboard after making the change in the vSphere Web Client, you may have to change the time frame to Latest hour of data from the drop-down menu.

NOTE: As long as it doesn't take longer than (5) minutes to switch over to the vRealize Log insight interface from the vSphere Web Client, then the default time selection of Latest 5 minutes of data will suffice. We may want to refresh the browser as well to ensure the dashboard is updated with the most recent data.

 

 

Return to the vSphere Web Client

 

  1. Return to the vSphere Web Client by clicking on the tab for it.

 

 

Hosts and Clusters

 

  1. Click on the Hosts and Clusters tab in the left Navigation Pane.
  2. Click on the arrow to expand everything under the vcsa-01b.corp.local vCenter server.
  3. Click on the esx-01b.corp.local host in the left Navigation Pane.

 

 

Security Profile

 

We are now going to turn on the ESXi Shell service since it is currently disabled in order to view the change in one of the dashboards.

  1. Click on the Configure tab at the top of the content pane.
  2. In the content pane, click on Security Profile listed under System.
  3. Scroll down the page until you see Services using the scroll bar on the right side of the content pane.
  4. Click on the Edit button

 

 

ESXi Shell Service

 

  1. Click on the ESXi Shell service.
  2. Select Start and stop with host from the Startup Policy drop-down menu.
  3. To start it, click on the Start button.
  4. Click on the OK button to close the pop-up window.

 

 

Return to vRealize Log Insight

 

  1. To return to vRealize Log Insight, click on the Google Chrome tab for it.

 

 

ESXi Config Changes

 

In order to see the event where we turned on the ESXi Shell service, perform the following tasks:

  1. Click on the ESXi Config Changes link in the left Navigation Pane.
  2. We see that there are now events listed from when we modified the settings and turned on the ESXi Shell service. The events will look different in the screen shot compared to the lab environment as far as their colored bars and where they are located in the time-line.
  3. If it takes more than (5) minutes to switch from the vSphere Web Client to vRealize Log Insight, you can change the selection for the time to Latest hour of data if need be.

 

 

 

Return to vSphere Web Client

 

  1. Return to the vSphere Web Client by clicking on the tab for it.

 

 

Virtual Machine Configuration Changes

 

Now lets change the CPU and Memory of a virtual machine in order to see these virtual machine modifications in a dashboard.

  1. Right-click on the My Encrypted VM1 virtual machine.
  2. Click on Edit Settings from the drop-down menu.

NOTE: If you didn't start from the beginning of this module, you may not have the My Encrypted VM1 virtual machine to edit. If that is the case, feel free to use the w10-base-01b.corp.local virtual machine instead.

 

 

Edit VM Settings

 

  1. Change the *CPU drop-down menu from 2 to 1.
  2. Change the *Memory drop-down from 96 to 48.
  3. Then click on the OK button.

 

 

Return to vRealize Log Insight

 

  1. Return to vRealize log Insight by clicking on the Google Chrome tab for it.

 

 

VM Configuration Changes

 

We should now be able to see the virtual machine configuration changes by performing the following tasks:

  1. Click on VM Configuration Changes in the left navigation pane under Security Operations.
  2. We now see that by applying the encryption policy to the virtual machine, we now show a change event in the VM Configuration Changes dashboard.

NOTE: If it takes more than (5) minutes to switch from the vSphere Web Client to vRealize Log Insight, you can change the selection for the time to Latest hour of data if need be.

 

 

Return to vSphere Web Client

 

  1. Return to the vSphere Web Client by clicking on the tab for it.

 

 

VMRC Console

 

One of the new dashboards monitors the launching of a virtual machine console, so we are going to do that with one of the KMS servers.

  1. Click on the kms-01b.corp.local virtual machine.
  2. Click on the Summary tab at the top of the content pane.
  3. Click on the gear icon in the console window.
  4. Select Launch Remote Console from the drop-down menu.

 

 

Close Remote Console

 

  1. Click on the "X" of the VMware Remote Console (VMRC) window to close out the remote console session.
  2. Click on the "X" for the "Untitled" Google Chrome tab to close out that tab as well.

 

 

Return to vRealize Log Insight

 

  1. To return to vRealize Log Insight, click on the Google Chrome tab for it.

 

 

VMRC/MKS Events

 

In order to see the event of launching a virtual machine's remote console, perform the following tasks:

  1. Click on VMRC/MKS Events in the left navigation pane.
  2. We now see that there is an event in the dashboards because we launched a VMRC console from within the vSphere Web Client.

NOTE: If it takes more than (5) minutes to switch from the vSphere Web Client to vRealize Log Insight, you can change the selection for the time to Latest hour of data if need be.

 

 

Close vRealize Log Insight Tab

 

  1. Click on the "X" on the vRealize Log Insight tab to close it out since we no longer need it open.

 

 

Security Operations Center (SEC) Content Pack - Complete

That completes this lesson on the vRealize Log Insight Security Operations Center (SEC) Content Pack. We walked through the process of installing a content pack into vRealize Log Insight and then looked at the pre-configured dashboards that this content pack provides related to security events. We then made configuration changes to a virtual machine and host in order to see some of these triggered security events in the dashboards.

If interested in downloading and installing the Security Operations Center (SEC) Content Pack, you can find it at either one of the below links:

Also, Edward L. Haletsky will be presenting for a VMworld US 2017 session and covering his Security Operations Center (SEC) Content Pack. If interested in attending his VMworld US 2017 session, register for the below session:

 

Conclusion


Congratulations on completing Module 2!

Leveraging vRealize Log Insight to audit users to see whom did what, is a valuable solution for security administrators to analyze security incidents in the Software Defined Data Center. In this module we took some time look at the new logging features in vSphere 6 as well as the Linux Content Pack. We were able to build out a helpful query to understand whom exactly rebooted a machine.

Proceed to the next module (Module 3 - Add KMS Servers, Encrypt/Decrypt VMs, & Using PowerCLI), or feel free to skip to any other module below which interests you most.


 

Additional VMworld US 2017 Resources:

In this module, you learned about Forensic Security with vRealize Log Insight. Below, we have provided you with additional resources related to this module that we thought you might find useful. We highly recommend that you attend the below VMworld session which goes into more detail on aspects of what you learned in this module.  

Additionally, one of VMware's own has created their own vRealize Log Insight Content Pack called Security Operations Center (SOC). If you are interested in taking a look at it or downloading it to use with your instance of vRealize Log Insight, go to the below blog article for more information.

 

 

vSphere & vCenter Server 6.5 Enhanced Log Resources:

NOTE: The links to VMware resources in the lab manuals are meant for reference purposes. The lab environment may or may not be connected to the internet, so you may not be able to view these resources. Feel free to either copy the link manually or take a picture using your mobile device in the event you are unable to reach the link that is provided.

 

 

OPTIONAL: How to End the Lab

 

NOTE: Understand that when you click the END button in the lab, it will close out the lab and delete the associated virtual machines. This means when the lab is re-launched, it will create a new lab instance with new virtual machines, not the ones used previously. Any and all previous settings will be lost and they will be back to the default settings from when the lab is first deployed.

You can now continue on to the next module by clicking forward, or use the Table of Contents to skip to another desired Module.

If you'd like to end your lab, click on the END button.

Note: If you end your lab, you will need to re-register for the lab in order to take any other modules.

 

Module 3 - VM Encryption and Encrypted vMotion (60 minutes)

Introduction


This module (Module 3 - Add KMS Servers, Encrypt/Decrypt VMs, & Using PowerCLI), shows us the new vSphere 6.5 security feature of encrypting virtual machines. Encryption in vSphere 6.5 is implemented via Storage Policies. The application of an encryption storage policy to an existing powered off virtual machine will encrypt the disk. This is has become a highly requested feature for businesses to provide the level of security they need to meet today’s security requirements.

The key differentiators between this solution and others is that encryption is done below the virtual machine and is virtual machine agnostic and policy based and most of all, easy to incorporate into your management workflows. Follow-on examples of PowerCLI will drive that home.

In this module, we have already deployed the (2) HyTrust KMS servers required to take advantage of encrypting Virtual Machines.

In this module, we will perform the following actions:

NOTE: The links to VMware resources in the lab manuals are meant for reference purposes. The lab environment may or may not be connected to the internet, so you may not be able to view these resources. Feel free to either copy the link manually or take a picture using your mobile device in the event you are unable to reach the link that is provided.


 

Key Features

Below are the key features of vSphere virtual machine encryption:

 

 

Encrypting a Virtual Machine

 

Encryption is managed via Storage Policies, this is an overview of the steps involved:

  1. Register a virtual machine on a host and configure the (new or existing ) virtual machine with Encryption Enabled storage policy and KMIP server.
  2. vCenter gets a key from the KMIP server, that key is used to encrypt the virtual machine files and the virtual machine disks.
  3. vCenter server loads the key into the ESXi hosts. All hosts that don’t have the key will get the key to support Distributed Resource Scheduler (DRS) / High Availability (HA).
  4. Once the key is loaded into the KeyCache on the ESXi host, encryption and decryption of the disk will happen at the IO Filter (introduced in 6.0 U1) level.

 

 

Encrypted vMotion

 

In this lesson, we will show you how to perform the steps for doing encrypted vMotion of a virtual machine. You can encrypt the vMotion of any virtual machine, encrypted or not. Encrypted virtual machines will always use encrypted vMotion. The point to make is that if we are running a mixed cluster and we have a requirements of encrypted vMotion, then setting to "Required" will not let you vMotion to a host that doesn't support it such as vSphere 6.0 hosts.

With the rise in popularity of Hybrid Cloud Computing, where VM sensitive data leaves the traditional IT environment and traverses over the public networks, IT administrators and architects need a simple and secure way to protect critical virtual machine data that traverses across clouds and over long distances. The Encrypted vMotion feature available in VMware vSphere® 6.5 addresses this challenge by introducing a software approach that provides end-to-end encryption for vMotion network traffic. The feature encrypts all the vMotion data inside the vmkernel by using the most widely used AES-GCM encryption standards, and thereby provides data confidentiality, integrity, and authenticity even if vMotion traffic traverses untrusted network links.

A new white paper, “VMware vSphere 6.5 Encrypted vMotion Architecture, Performance and Best Practices”, is now available. In that paper, we describe the vSphere 6.5 Encrypted vMotion architecture and provide a comprehensive look at the performance of live migrating virtual machines running typical Tier 1 applications using vSphere 6.5 Encrypted vMotion. Tests measure characteristics such as total migration time and application performance during live migration. In addition, we examine vSphere 6.5 Encrypted vMotion performance over a high-latency network, such as that in a long distance network. Finally, we describe several best practices to follow when using vSphere 6.5 Encrypted vMotion.

 

 

Encryption With PowerCLI

VMware announced that our virtual machine encryption engineering team has released a PowerCLI module for virtual machine Encryption! In case you weren’t aware, there’s a Github repository of VMware PowerShell modules. Check them out!

Included in there is the new PowerCLI module for virtual machine encryption. It’s chock full of lots of great cmdlets and new VI Properties that make your day to day management of vSphere 6.5 VM Encryption easier to automate. The goal here is to help you operationalize security as easily as possible. If you can’t make security easy to incorporate into your day to day operations then people will find a way to not do it.

Encrypting a virtual machine shouldn’t mean having to manage an encryption solution IN the virtual machine. It should be as simple as “Get-VM” and piping that to “Enable-VMEncryption”, right? Well, with VM Encryption it IS! We will take a look at some of the PowerCLI commands to use for encrypting virtual machines in this lab.

Performing encryption tasks is a more advanced topic in which we will cover in more detail  in Module 7: PowerCLI for VM Encryption.

 

 

vSphere 6.5 Encryption Gotchas!

 

 

Some KMIP 1.1 Compatible Key Mangers

 

Key Management is based on the industry standard, KMIP 1.1. In vSphere vCenter, there is a KMIP client that works with a large number of KMIP 1.1 key managers which brings choice and flexibility to customers. Virtual machine keys do not persist in the vCenter server. Most KMIP 1.1 compliant key managers are compatible with vSphere 6.5, but the best practice is to verify with the VMware compatability matrix to be 100% sure!

 

Configure Hytrust KMS Server in vCenter Server


In this lesson, we will add (2) HyTrust KMS servers which allow us to encrypt virtual machines as well as use encrypted vMotion. Without a trust established between the vCenter server and a KMS server(s), we would not be able to take advantage of the new vSphere 6.5 encryption capabilities.


 

Launch Google Chrome

 

If Google Chrome is not already open, you can either:

  1. Double-click the Google Chrome icon on the Main Console Desktop.
  2. Or click the Google Chrome icon on the Quick Launch bar.

NOTE: If Google Chrome is already open, click on the New Tab icon to open a new tab.

 

 

RegionB vCenter Server

 

Do the below step If you are opening a new Google Chrome browser window, otherwise, you can skip this step:

  1. Click on the RegionB vCenter bookmark in the Bookmark Toolbar.

 

 

Log into RegionB vCenter Server

 

If already logged into the RegionB vCenter server, you can skip the below steps. If you aren't, complete steps 1 - 3:

  1. Type administrator@corp.local in the the User name text field.
  2. Type VMware1! into the Password text field.
  3. Click on the Login button.

 

 

Home Menu

 

  1. Click on the Home icon at the top of the screen.
  2. Select Global Inventory Lists in the Home drop-down menu.

 

 

Select vCenter Server

 

  1. Select vCenter Servers in the left Navigation Pane.

 

 

vcsa-01b.corp.local

 

  1. Click on the vcsa-01b.corp.local vCenter Server.

 

 

Add HyTrust Key Manager (KMS) Server

 

In order to use any type of encryption in vSphere, we must first have a Key Management Server (KMS) server up and running. Then we have to add at least (1) KMS server to vCenter server and configure the trust relationship between the KMS and vCenter servers. So the first thing we need to do is add a KMS server to vCenter, perform the following tasks to accomplish this:

  1. Click on the Configure tab in the content pane.
  2. Click on Key Management Servers under the More category.
  3. Click on the green + Add KMS... icon in the content pane.

NOTE: Be sure that the vcsa-01b.corp.local vCenter server is selected and NOT the vcsa-01a.corp.local vCenter server!

 

 

vcsa-01b.corp.local - Add KMS

 

  1. Keep the default selection <Create new cluster> in the KMS cluster drop-down menu.
  2. Type HyTrust KMS Cluster 1 in the Cluster name text field.
  3. Type HyTrust KMS Server 1 in the Server alias text field.

 

 

vcsa-01b.corp.local - Add KMS (continued)

 

  1. Type kms-01b.corp.local in the server address text field.
  2. Type 5696 in the Server port text field.
  3. Click on the OK button.

 

 

vcsa-01b.corp.local - Default KMS Server

 

  1. Click on the Yes button to accept is as the default KMS server.

 

 

vcsa-01b.corp.local - Trust Certificate

 

  1. Click on the Trust button.

NOTE: Although by clicking the Trust button it leads us to believe that configured the trust relationship between the KMS and vCenter server. However, that is not the case and we have to still manually configure the trust relationship between the servers.

 

 

Add Second HyTrust KMS Server to HyTrust Cluster

 

Now we will add the second HyTrust KMS server to the vCenter server and create a trust relationship between them.

  1. Click on the + Add KMS icon to add a new KMS server.

 

 

vcsa-01a.corp.local - Add KMS

 

  1. Select <Create new cluster> in the KMS cluster drop-down menu.
  2. Type HyTrust KMS Cluster 2 in the Cluster name text field.
  3. Type HyTrust KMS Server 2 in the Server alias text field.

 

 

vcsa-01a.corp.local - Add KMS (continued)

 

  1. Type kms-02b.corp.local in the server address text field.
  2. Type 5696 in the Server port text field.
  3. Click on the OK button.

 

 

Trust Certificate

 

  1. Click on the Trust button.

 

 

Create Trust For HyTrust KMS Server 1

 

We see that both of the HyTrust KMS servers are showing their Connection State with a red exclamation point stating Cannot establish a trust connection. With the hyTrust KMS servers, we have to establish the trust manual even though we clicked on the Trust button on the previous pop-up window.

To create the trust relationship between the HyTrust KMS Server 1 and the vCenter server:

  1. Select the HyTrust KMS Server 1 (kms-01b.corp.local) from under the HyTrust KMS Cluster,
  2. Click Establish trust with KMS icon.

 

 

Create Trust For HyTrust KMS Server 1 - Upload certificate and private key

 

  1. Click on the Upload certificate and private key radius button.
  2. Click on the OK button.

 

 

Create Trust For HyTrust KMS Server 1 - Upload Certificate

 

  1. Click on the Upload file button at the top half of the pop-up window.

 

 

Create Trust For HyTrust KMS Server 1 - Upload Certificate

 

We have already downloaded this certificate PEM file from the HyTrust KMS server web interface.

  1. Browse to the following path "C:\LabFiles\HOL-1811\vcsa01b\"
  2. Select the vcsa01b.pem file.
  3. Click on the Open button.

 

 

Create Trust For HyTrust KMS Server 1 - Upload Certificate

 

  1. Click on the Upload file button.

 

 

Create Trust For HyTrust KMS Server 1 - Upload Certificate

  1. Browse to the following path "C:\LabFiles\HOL-1811\vcsa01b\"
  2. Select the vcsa01b.pem file.
  3. Click on the Open button.

 

 

Create Trust For HyTrust KMS Server 1 - Upload Certificate

 

  1. Click on the OK button.

 

 

Create Trust For HyTrust KMS Server 2

 

To create the trust relationship between the HyTrust KMS Server 1 and the vCenter server:

  1. Select the HyTrust KMS Server 2 from under the HyTrust KMS Cluster,
  2. Click Enable trust with KMS icon.

NOTE: At this point, we setup the trust with the one HyTrust KMS server, by setting up the one, the other one does not need to be setup as well. The second HyTrust KMS server will also see the trust and they both will then be configured with a trust between the vCenter server and the HyTrust servers. This is because we configured the HyTrust KMS server in a cluster, so once you configure the trust in one, the other picks up the trust as well.

 

 

Create Trust For HyTrust KMS Server 2 - Upload certificate and private key

 

  1. Click on the Upload certificate and private key radius button.
  2. Click on the OK button.

 

 

Create Trust For HyTrust KMS Server 2 - Upload Certificate

 

  1. Click on the Upload file button at the top half of the pop-up window.

 

 

Create Trust For HyTrust KMS Server 2 - Upload Certificate

 

  1. Browse to the following path "C:\LabFiles\HOL-1811\vcsa01b\"
  2. Select the vcsa01b.pem file.
  3. Click on the Open button.

 

 

Create Trust For HyTrust KMS Server 2 - Upload Certificate

 

  1. Click on the Upload file button at the top half of the pop-up window.

 

 

Create Trust For HyTrust KMS Server 2 - Upload Certificate

 

  1. Browse to the following path "C:\LabFiles\HOL-1811\vcsa01b\"
  2. Select the vcsa01b.pem file.
  3. Click on the Open button.

 

 

Create Trust For HyTrust KMS Server 2 - Upload Certificate

 

  1. Click on the OK button.

 

 

HyTrust KMS Server Cluster - Trust Certificate Status

 

  1. We should see for both KMS servers that the Connection Status has green check marks and saying Normal as well as green check marks for the Certificate Status.

 

 

HyTrust KMS Server

 

Even though in the previous step we saw that the trust connections for both HyTrust servers were showing Normal with a green check mark. We want to be sure that the KMS server cluster is showing good as well in the HyTrust KMS server web portal. Perform the following steps to accomplish that:

  1. Click on the New Tab icon in the Google Chrome browser.
  2. Type https://192.168.210.91 into the address bar.

 

 

HyTrust KMS Server - Login

 

  1. Type secroot in the Username text field.
  2. Type VMware123! in the Password text field.
  3. Then click on the Sign-in button.

IMPORTANT NOTE: If you get a message saying you need to change the password, go ahead and change it to VMware1234!. Once you have changed the password, it will change it for the "secroot" account on BOTH HyTrust KMS servers. For the remainder of this lab instance, that will be the password we will use to log into the HyTrust KMS servers administrative portal interface. If you end the lab and relaunch the lab again, that will be a new instance of the lab, so the password will be the original one that is listed in the steps above.

 

 

HyTrust KMS Cluster - Verify Status

 

Although we only added one HyTrust KMS server and created the trust relationship with vCenter, we still look at the "cluster" within the HyTrust web client to see the status of the server. So ignore the name "cluster" to avoid any confusion of an actual clustered server configuration that we might normally think of.

  1. After logging into the HyTrust KMS Server portal, if you see the green heart image over the CLUSTER tab, then the HyTrust KMS Server is running properly.

NOTE: If you see a red image of the CLUSTER tab, then there is an issue and we need to reboot the HyTrust KMS Server.

 

 

Reboot Default HyTrust KMS Server (if needed)

 

Only do the below steps if the HyTrust KMS server cluster showed red on the cluster tab, if it showed the green heart, skip the below steps.

  1. Return to the vSphere Web Client by clicking on the vSphere Web Client tab in Google Chrome.
  2. Click on the default HyTrust KMS server kms-01b.corp.local virtual machine.
  3. Click on the Restart on the guest operating system of the selected virtual machines icon.

NOTE: It will take a minute or two for the HyTrust KMS server to come fully online.

 

 

HyTrust KMS Server Portal Tab (if needed)

 

Only do the below steps if the HyTrust KMS server cluster showed red on the cluster tab, if it showed the green heart, skip the below steps.

  1. Click on the HyTrust KeyControl tab in Google Chrome.

 

 

HyTrust KMS Server Portal - Sign-in (if needed)

 

Only do the below steps if the HyTrust KMS server cluster showed red on the cluster tab, if it showed the green heart, skip the below steps.

  1. Type secroot in the Username text field.
  2. Type VMware123! in the Password text field.
  3. Then click on the Sign-in button.

IMPORTANT NOTE: If you get a message saying you need to change the password, go ahead and change it to VMware1234!. Once you have changed the password, it will change it for the "secroot" account on BOTH HyTrust KMS servers. For the remainder of this lab instance, that will be the password we will use to log into the HyTrust KMS servers administrative portal interface. If you end the lab and relaunch the lab again, that will be a new instance of the lab, so the password will be the original one that is listed in the steps above.

 

 

HyTrust KMS Server Portal - Cluster Status (if needed)

 

Only do the below steps if the HyTrust KMS server cluster showed red on the cluster tab, if it showed the green heart, skip the below steps.

  1. Confirm that we now have a green heart icon over the CLUSTER tab.

NOTE: If we have the green heart over the CLUSTER tab now, that means the HyTrust KMS server is working properly and can provide encryption keys upon request. If for any reason we still do not see the green heart, please ask one of the proctors for assistance by raising your hand either within the Hands On Lab user interface under the Help menu or by literally raising your hand to get a proctors attention.

 

 

Close HyTrust KMSKeyControl Tab

 

  1. Click on the "X" to close the HyTrust KeyControl tab in Google Chrome.

 

 

Configure HyTrust KMS Server in vCenter Server - Complete

We have completed this lesson and the associated tasks of adding (2) HyTrust KMS servers in a clustered configuration within the vCenter server. We also configured the trust relationships between the (2) KMS servers and the vCenter servers by uploading certificates on one of the HyTrust KMS servers. By proxy being in a clustered configuration, once one server was configured with the trust, the other one automatically picked it up as well.  

We also see the first HyTrust KMS server that was added was automatically selected as the Default KMS server for the cluster.

 

Create Two New Virtual Machines


In this lesson, we will create (2) new virtual machines within the vSphere Web Client. These (2) new virtual machines we will use for the lesson on how to encrypt virtual machines.


 

Home Menu

 

From within the vSphere Web Client of vcsa-01b.corp.local, we will now go to the VMs and Templates view.

  1. Click on the Home icon at the top of the Content Pane.
  2. Select VMs and Templates from the Home drop-down menu.

Under the Inventories area, click on the Content Libraries icon.

 

 

Tiny-VM Template

 

We are going to create (2) virtual machines in which we will use to encrypt and decrypt them using the Graphical User Interface (GUI) as well as with PowerCLI commands within the rest of this module.

  1. If need be, click on the arrow next to the vcsa-01b.corp.local vCenter server and expand it until you see all the virtual machines.
  2. Right-click on the Tiny-VM template.
  3. Select New VM from This Template.

 

 

Create My Encrypted VM2 - Select a name and folder

 

  1. Type My Encrypted VM2 in the Enter a name for the virtual machine text field.
  2. Select the RegionB01 datacenter listed under the vcsa-01b.corp.local vCenter server.
  3. Click on the Next button.

 

 

Create My Encrypted VM2 - Select a compute resource

 

  1. Click on RegionB01-COMP01 cluster listed under the RegionA01 datacenter.
  2. Verify that it says Compatibility checks succeeded under Compatibility.
  3. Click on the Next button.

 

 

Create My Encrypted VM2 - Select Storage

 

  1. Keep the default settings for the Select virtual disk format and VM storage policy.
  2. Verify that it says Compatibility checks succeeded under Compatibility.
  3. Click on the Next button.

NOTE: Keep in mind, that one capability that is not available yet is the ability to assign an encryption storage policy when deploying a virtual machine from a Template. So for now we just select the default storage policy and will assign the encryption storage policy after the virtual machine is created.

 

 

Create My Encrypted VM2 - Select clone options

 

  1. Keep the default network settings and click on the Next button.

 

 

Create My Encrypted VM2 - Summary

 

  1. Review all the settings to make sure they are correct.
  2. Click on the Finish button.

 

 

Create My Encrypted VM3 Virtual Machine

 

  1. Right-click on the Tiny-VM template.
  2. Select New VM from This Template.

 

 

Create My Encrypted VM3 - Select a name and folder

 

  1. Type My Encrypted VM3 in the Enter a name for the virtual machine text field.
  2. Select the RegionB01 datacenter under the vcsa-01b.corp.local vCenter server.
  3. Click on the Next button.

 

 

Create My Encrypted VM3 - Select a compute resource

 

  1. Select the RegionB01-COMP01 cluster under the RegionB01 datacenter.
  2. Verify that it says Compatibility checks succeeded under Compatibility.
  3. Click on the Next button.

 

 

Create My Encrypted VM3 - Select storage

 

  1. Keep the default settings and verify that it says Compatibility checks succeeded under Compatibility.
  2. Click on the Next button.

NOTE: Keep in mind, that one capability that is not available yet is the ability to assign an encryption storage policy when deploying a virtual machine from a Template. So for now we just select the default storage policy and will assign the encryption storage policy after the virtual machine is created.

 

 

Create My Encrypted VM3 - Select clone options

 

  1. Keep the default settings for the options and click on the Next button.

 

 

Create My Encrypted VM3 - Summary

 

  1. Verify that all the settings are correct, then if correct, click on the Finish button.

Now that we just finished creating (2) new virtual machines named My Encrypted VM2 and My Encrypted VM3, we will be able to use them for the encrypting virtual machines lessons. Now we need to create an encryption policy that we can assign to virtual machines.  

 

 

Create (2) Virtual Machines - Complete

We have completed this lesson which consisted of creating two virtual machines. So in the next lesson, we get to create an Encrypted Storage Policy. Then after that we can assign the Encrypted Storage Policy to the virtual machines we just created.

 

Create an Encrypted Storage Policy


In this lesson, we will walk through the process of creating an Encrypted Storage Policy. We can then assign the policy to existing virtual machines. We won't actually be using the encrypted storage policy that we will be creating in later lessons since their is already another encrypted storage policy available. This lesson is meant to just show how to go about creating a new storage policy.


 

Create Encryption Policy

 

From within the vSphere Web Client of vcsa-01b.corp.local, we will now go to the Policies and Profiles view.

  1. Click on the Home Icon on the top of the page of the page.
  2. Click on Policies and Profiles from the drop-down menu.

 

 

Navigate to VM Storage Policies

 

  1. Select the vcsa-01b.corp.local vCenter server from the drop-down menu.
  2. Select VM Storage Policies in the left Navigation Pane.

 

 

Create a New VM Storage Policy

 

  1. Click on the Create VM Storage Policy icon on the top of the Content Pane,

NOTE: You may see a slightly different list of VM Storage Policies in your lab environment from what you see in the screen capture.

 

 

Create New VM Storage Policy - Name and description

 

  1. Select vcsa-01b.corp.local in the vCenter Server drop-down menu.
  2. Type My Encryption Policy in the Name text filed. (If that name is already in use, modify the name slightly to make it unique)
  3. Click on the Next button.

 

 

Create New VM Storage Policy - Policy Structure

 

  1. This is just an informational page, click on the Next button.

 

 

Create New VM Storage Policy - Common rules for data services provided by hosts

 

Here is where we make the selections so that when we encrypt a virtual machine, it will use the default encryption properties.

  1. Select the check box for Use common rules in the VM storage policy.
  2. Click on the +Add Components button.
  3. Select Encryption from the drop-down menu.
  4. Select Default encryption properties from the Encryption selection.

 

 

Create New VM Storage Policy - Common rules for data services provided by hosts (continued)

 

  1. Once we have select the default encryption properties, we should now see the status that we are using the Default encryption properties.
  2. Click on the Next button.

 

 

Create New VM Storage Policy - Rule-Set1

 

  1. Uncheck the Use rules-sets in the storage policy box.
  2. Click on the Next button.

NOTE:  Be sure that the check box for Use rule-sets in the storage policy is UN-CHECKED!

 

 

Create New VM Storage Policy - Storage compatibility

 

  1. Accept the defaults and click on the Next button.

NOTE: You may see different capacity numbers in your lab environment compared to what you see in the screen capture.

 

 

Create New VM Storage Policy - Ready to complete

 

This is the summary screen to check all of the settings we made during the configuration process, be sure they are correct before proceeding to the next step:

  1. Click on the Finish button to complete the process of creating a new encryption storage policy.

 

 

Create New VM Storage Policy - List

 

  1. We should now see our new storage policy named My Encryption Policy in the list.

NOTE: there is also a previously configured encryption storage policy called VM Encryption Policy.

 

 

Create a Encrypted Storage Policy - Complete

We have completed the Create a Encrypted Storage Policy lesson. Next we will apply an encryption storage policy to the virtual machines we created earlier.

 

Encrypt VMs Using HyTrust KMS Server 1


In this lesson, we will encrypt a virtual machine using the first HyTrust KMS server that we will install. The first KMS server installed in the vCenter server will always be the default KMS server unless you specifically select it not to be the default server.


 

Home Menu

 

From within the vSphere Web Client of vcsa-01b.corp.local, we will now go to the Hosts and Clusters view.

  1. Click on the Home icon at the top of the content pane.
  2. Select Hosts and Cluster from the Home drop-down menu.

 

 

Edit VM Storage Policies

 

We will now edit (2) virtual machines VM Storage Policies at the same time in order to encrypt the virtual machines.

  1. Click on the RegionB01-COMP01 cluster under the vcsa-01b.corp.local vCenter server.
  2. Select the VMs tab at the top of the content pane.
  3. Right-click on BOTH My Encrypted VM1 and My Encrypted VM2 virtual machines by holding down the Ctrl Key (Command key for Mac) while selecting both virtual machines with the mouse.
  4. Select VM Policies from the drop-down menu.
  5. Select the Edit VM Storage Policies from the VM Policies drop-down menu.

 

 

Edit VM Storage Policies - Perform this action on 2 objects?

 

  1. Click the Yes button on the Edit VM Storage Policies pop-up window since we want to change the storage policy on both virtual machines at once.

 

 

Apply My Encryption Policy

 

  1. Select the My Encryption Policy radius button..
  2. Click on the OK button.

 

 

Select My Encrypted VM2

 

Now lets verify that the virtual machines VM Storage Policies were changed and they are now encrypted virtual machines.

  1. Click on the My Encrypted VM2 virtual machine in the left Navigation Pane.

 

 

My Encrypted VM2 - VM Storage Policies Compliance

 

  1. In the content pane, scroll down to the bottom of the page until you see the VM Storage Policies widget.
  2. We should now see that the My Encryption Policy has been assigned to the virtual machine and is also compliant which is represented by a green check mark.

 

 

VM Storage Policy - Not Compliant

 

If for any reason the VM Storage Policy widget has no information in it after a minute or two or says that it is not compliant:

  1. Click on the Check Compliance link to update the compliance information.

NOTE: Now after clicking on the Check Compliance link, it should update the information in less than a minute and show complaint. If the status doesn't change, raise your hand for assistance either in the Hands On Lab interface or physically raise your hand to get a proctors attention.

 

 

Decrypt My Encrypted VM2

 

Now that we encrypted the virtual machine, we are going to show you how to decrypt a virtual machine. This is essentially the opposite procedure of encrypting a virtual machine.

  1. Right-click on My Encrypted VM2 virtual machine.
  2. Select VM Policies from the drop-down menu.
  3. Select Edit VM Storage Policies from the VM Policies menu.  

 

 

My Encrypted VM2 - Assign Default Storage Policy

 

  1. Select Datastore Default from the VM Storage Policy drop-down menu.
  2. Click on the Apply to all button.
  3. Click on the OK button.

 

 

My Encrypted VM2 - VM Storage Policies Compliance

 

We now see in the VM Storage Policies widget, that all the fields are blank again. That is because we removed the Encryption Policy and it has returned to the datastore default policy.

 

 

VM Storage Policy - Not Compliant

 

If for any reason the VM Storage Policy widget has information still in it and reflects being compliant, give it another minute to see if it changes. If it still doesn't change and go blank:

  1. Click on the Check Compliance link to update the compliance information.

NOTE: Now after clicking on the Check Compliance link, it should update the information in less than a minute and be blank now. If not, raise your hand for assistance either in the Hands On Lab interface or physically raise your hand to get a proctors attention.

 

 

Encrypt VM Using HyTrust KMS Server - Complete

In this lesson, we applied the My Encryption Policy to the My Encrypted VM1 and My Encrypted VM2 virtual machines using the vSphere Web Client. After we applied the policy, it showed that the virtual machine was compliant with the VM Encryption Policy. Then we went through the same steps to remove the encryption policy from the My Encrypted VM2 virtual machine. Once we completed that task, we could see the VM Storage Policy widget went back to a blank widget. This was an expected behavior and means we successfully removed the encryption on the virtual machines files.

Using the vSphere Web Client is not the only method to encrypting or decrypting a virtual machine. We can also use PowerCLI commands to do the same actions to a single or numerous virtual machines at once and in a more efficient manner. If changing the encryption status of a large amount at virtual machines at once, the best practice would to be use the PowerCLI commands to do so.

In the next lesson, we will discuss the use of PowerCLI for the various encryption related tasks in more detail. Also, in Module 7 of this lab which is the last module, we will actually encrypt and decrypt virtual machines using the PowerCLI commands. Module 7 is an advanced lab, so that is why we will actually use PowerCLI in that particular module.

 

Set VM to Encrypted vMotion Mode


In this lesson, we will walk through the steps to setup a virtual machine to use Encrypted vMotion Mode. We will show the process of configuring it from within the vSphere Web Client.


 

Global Inventory Lists

 

From within the vSphere Web Client of vcsa-01b.corp.local, we will now go to the Global inventory Lists view.

  1. Click on the Home icon at the top of the screen.
  2. Click on Global Inventory Lists in the drop-down navigation menu.

 

 

Virtual Machines

 

  1. Select Virtual Machines from the left Navigation Pane.

 

 

Virtual Machine - Edit Settings

 

In previous steps, we configured the virtual machine My Encrypted VM1 to be encrypted. Because it is already encrypted, if we check the setting for vMotion, it should reflect as being Required already.

To check the vMotion setting:

  1. Right-click on the virtual machine named My Encrypted VM1.
  2. Select Edit Settings from the drop-down menu.

NOTE: The list of virtual machines may be slightly different in the lab environment from what is in the screen capture.

 

 

Virtual Machine - vMotion Settings

 

  1. Click on the VM Options tab in the pop-up window.
  2. Click on the arrow next to the Encryption title on the left side of the pop-up window to expand it out.
  3. We see that because the virtual machine is already encrypted, the Encrypted vMotion setting is already set to Required and can't be changed.
  4. Click on the OK button.

 

 

Virtual Machine - Migrate

 

To perform encrypted vMotion for the virtual machine:

  1. Right-click on the virtual machine named My Encrypted VM1.
  2. Select Migrate from the drop-down menu.

 

 

Virtual Machine - Change compute resource only

 

  1. Click on the Change compute resource only radius button.
  2. Click on the Next button.

 

 

Virtual Machine - Select a compute resource

 

As we see here, there is only (1) vSphere host, so technically we can't migrate the virtual machine to another host. However, since we can't really tell that the vMotion action itself is encrypted, we will just walk through the process as though we are going to migrate to another host, but doing it in an encrypted fashion.

  1. Keep the default host selected and click on the Next button.

 

 

Virtual Machine - Select networks

 

  1. Keep the default network selected and click on the Next button.

 

 

Virtual Machine - Ready to complete

 

NOTE:  We are not actually performing the vMotion action for following reasons:

To finish the last step:

  1. We would then review the information to ensure all of the selections we selected are correct.
  2. Normally we would select the Finish button, but since this is a lab environment, we will select the Cancel button so we don't initiate the vMotion task.

 

 

My Encrypted VM3 - Encrypted vMotion

 

Now we will look at a virtual machine that is NOT already encrypted and do Encrypted vMotion with it. So lets look at the virtual machine settings to see that it isn't encrypted.

  1. Right-click on the My Encrypted VM3 virtual machine.
  2. Click on the Edit Settings from the drop-down menu.

 

 

My Encrypted VM3 - Storage Policy

 

  1. Under the Virtual Hardware tab, click on the arrow next to Hard Disk 1 to expand it.
  2. We see that currently the Default Storage Policy is set to Datastore Default and not our My Encrypted Policy or any other encrypted storage policy.

 

 

My Encrypted VM3 - Encrypted vMotion

 

We will see that there are (3) options under the Encrypted vMotion drop-down menu:

Since we again have no way to tell in the vSphere web client if a vMotion action is encrypted or not, there is no need to perform the action in the lab environment.

  1. Click on the VM Options tab in the pop-up window.
  2. Click on the arrow next to the Encryption title on the left side of the pop-up window.
  3. We see that because the virtual machine is NOT configured to be encrypted, the Encrypted vMotion setting can be manually changed to whatever is most appropriate for a companies needs.
  4. Click on the Cancel button.

NOTE: No matter if the virtual machine is already encrypted or not, you can select Encrypted vMotion. So if the virtual machine is not already encrypted, you can select to have it encrypted on the source host before moving the virtual machine to the destination host. If so, then the destination host will decrypt it once it is completely moved. At that point, the virtual machine is no longer encrypted and will stay that way until we decide to change the setting.

 

 

Set VM to Encrypted vMotion Mode - Complete

That completes this lesson on setting virtual machines to enable encrypted vMotion. We learned that no matter if a virtual machine is already encrypted or not, the virtual machine can be encrypted on the source host and then decrypted on the destination host. We also learned that Encrypted vMotion requires no additional settings when the virtual machine is already encrypted. However, when the virtual machine is not encrypted already, we can manual select to encrypt it just to perform a vMotion from one host to another if we wish.

 

PowerCLI - Import VMware.VMEncryption Module


In this lesson, we will learn how to import the PowerCLI VMware.VMEncryption module which contains modules that allow us to use PowerCLI to encrypt, decrypt, and do other encryption related tasks to virtual machines and Key management Servers (KMS) servers.


 

Launch PowerCLI

 

  1. To launch PowerCLI, double-click on the VMware PowerCLI icon on the desktop.

 

 

PowerCLI - Properties

 

  1. Click on the PowerCLI icon in the upper left-hand corner of the PowerCLI window.
  2. Select Properties from the drop-down menu.

 

 

PowerCLI - Adjust Screen Size

 

We are going to change the screen size of the PowerCLI window so when looking at the results of typing in commands, it is easier to read so the words don't wrap as much. To do this:

  1. Change the value for Width under Screen Buffer Size from 100 to 130.
  2. Change the value for Width under Window Size from 100 to 135.
  3. Click on the OK button.

 

 

PowerCLI - Clear the Screen

 

  1. To clear the screen so we have more screen real estate, type the following command:
cls

 

 

PowerCLI - Import VMware.VMEncryption Module

 

In order to use PowerCLI to manage encryption of virtual machines, we had to import the VMware.VMEncrytion module. Nativly, PowerCLI doesn't have that module in it, so it had to be manually added to use this module for modifying encryption in vSphere 6.5. This module also requires that we have the latest version of PowerCLI which is version 6.5.1 (6.5 Revision 1).

  1. Adding new modules is a very easy process, to add the new module for encryption, we ran the command:
Import-Module -Name "C:\LabFiles\HOL-1811\VMware.VMEncryption.psd1"
  1. Now we need to add the psm1 file as well:
Import-Module -Name "C:\LabFiles\HOL-1811\VMware.VMEncryption.psm1"

The "Import-Module" command tells it that we are importing a new module. The "-Name" tells it we are providing the name of the specific module we are importing. And finally, we provide the "path to the module we are importing".

NOTE: DO NOT close the PowerCLI window, we will need it open for the next few lessons. Also, if you close the PowerCLI window, you will have to rerun the Import-Module PowerCLI command to import the encryption module again.

 

 

PowerCLI - Import VMware.VMEncryption Module - Complete

In this lesson we used the Import-Module -Name "path-to-file" command to import the VMware.VMEncryption module to allow us to run PowerCLI commands to encrypt, decrypt, and other encryption related commands against virtual machines and hosts.

 

PowerCLI - Connect to vCenter & Encrypted VM List


In this lesson, we will use PowerCLI to connect to the vCenter server. Then we will run a command to get a list of virtual machines on the vCenter server and if they are encrypted or not.


 

PowerCLI - Import-Module

 

If you had closed the PowerCLI window after the previous lesson, we will need to run the following commands again to import the VMware.VMEncryption modules. Otherwise, you can skip the following steps:

  1. Perform the following command:
Import-Module -Name "C:\LabFiles\HOL-1811\VMware.VMEncryption.psd1"
  1. Perform the following command:
Import-Module -Name "C:\LabFiles\HOL-1811\VMware.VMEncryption.psm1"

 

 

PowerCLI - Connect to vCenter Server

 

  1. We need to now connect to the vcsa-01b.corp.local vCenter server in PowerCLI, in order to do that, type the following command:
Connect-VIServer -server vcsa-01b.corp.local -user administrator@corp.local -password VMware1!

 

 

PowerCLI - Report on Encryption Status

 

As we checked to see that My Encrypted VM1 was encrypted in the vSphere Web Client, we can also check using a PowerCLI command as well.

  1. To check the encryption status of the virtual machines on the vCenter server, type the following command:
Get-VM | Select Name, Encrypted

We see that My Encrypted VM1 and My Encrypted VM2 are encrypted and reflect this by the True value.

NOTE: If after running this command it doesn't provide a TRUE or FALSE status, that means we need to run the two Import-Module commands again. Refer to the steps at the beginning of this lesson for the commands.

 

 

PowerCLI - Connect to vCenter & Encrypted VM List - Complete

In this lesson, we connected to a vCenter server by running the command Connect-VIServer -Server vcenterservername -User username -Password password. Before being able to run any useful commands, you have to connect to a vCenter server first. We also ran the Get-VM | Select Name, Encrypted which provided a list of all the virtual machines on the associated vCenter server we connected to and weather or not they were encrypted by providing a true or false status. The true status confirms that a virtual machine is already encrypted.

 

PowerCLI - Encrypt/Decrypt Virtual Machine


In this lesson, we will use PowerCLI to encrypt and decrypt virtual machines. Then we will verify that a virtual machine is actually encrypted afterward by running another PowerCLI command.


 

PowerCLI - Import-Module

 

If you had closed the PowerCLI window after the previous lesson, we will need to run the following commands again to import the VMware.VMEncryption modules. Otherwise, you can skip the following steps:

  1. Perform the following command:
Import-Module -Name "C:\LabFiles\HOL-1811\VMware.VMEncryption.psd1"
  1. Perform the following command:
Import-Module -Name "C:\LabFiles\HOL-1811\VMware.VMEncryption.psm1"

 

 

PowerCLI - Encrypt My Encrypted VM3

 

  1. Type the following PowerCLI command to encrypt the My Encrypted VM3 virtual machine:
Get-VM -Name "My Encrypted VM3" | Enable-VMEncryption
  1. We then see it returns the Task-9379 which we can use to reference in the Tasks section under the monitoring tab of the vSphere Web Client for the virtual machine.

NOTE: The Task Number will be different in the lab environment than what is in the screen capture.

 

 

PowerCLI - My Encrypted VM3 Encryption Status

 

  1. Type the following PowerCLI command to verify that My Encrypted VM3 now shows as encrypted:
Get-VM | Select Name, Encrypted
  1. We see that for the status of the My Encrypted VM3, it reflects a True status proving it is encrypted now.

NOTE: The name and order of the virtual machines may be different in the lab environment than in this screen shot based on if you had completed the previous modules in this lab or not.

NOTE: If after running this command it doesn't provide a TRUE or FALSE status, that means we need to run the two Import-Module commands again. Refer to the steps at the beginning of this lesson for the commands.

 

 

vSphere Web Client - My Encrypted VM3 Encryption Status

 

Now we will verify that the My Encrypted VM3 virtual machine is indeed encrypted via the vSphere Web Client this time.

  1. Return to the vSphere Web Client and click on the My Encrypted VM3 virtual machine in the left Navigation Pane.
  2. We see that it also shows encrypted in the VM Storage Policies widget in the Content Pane because it has a policy assigned to it and that it is compliant.

NOTE: If it doesn't show compliant, you can click on the Check Compliance link and it should reflect complaint afterward. Also, the date associated to the Last Checked Date in the VM Storage Policies widget will be different in the lab environment that what is in the screen capture.

 

 

PowerCLI - Decrypt My Encrypted VM3

 

  1. Type the following PowerCLI command to disable encryption on the My Encrypted VM3 virtual machine:
Get-VM -Name "My Encrypted VM3" | Disable-VMEncryption
  1. We then see it returns the Task-9380 which we can use to reference in the Tasks section under the monitoring tab of the vSphere Web Client for the virtual machine.

NOTE: The Task Number will be different in the lab environment than what is in the screen capture.

 

 

PowerCLI - My Encrypted VM3 Encryption Status

 

  1. Type the following PowerCLI command to verify that My Encrypted VM3 virtual machine now shows as NOT being encrypted:
Get-VM | Select Name, Encrypted
  1. We see that for the status of the My Encrypted VM3, it reflects a False status again proving it is not encrypted any longer.

NOTE: The name and order of the virtual machines may be different in the lab environment than in this screen shot based on if you had completed the previous modules in this lab or not.

 

 

vSphere Web Client - My Encrypted VM3 Encryption Status

 

  1. Return to the vSphere Web Client and click on the My Encrypted VM3 virtual machine in the left navigation pane.
  2. We see that it also shows not being encrypted any longer because the VM Storage Policies widget now shows empty.

NOTE: If you don't see the change where the VM Storage Policies widget is empty again, you can either refresh the page or click on the Check Compliance link in the VM Storage Policies widget.

 

 

PowerCLI - Encrypt/Decrypt Virtual Machines - Complete

In this lesson, we learned how we can encrypt and decrypt virtual machines using PowerCLI. This is especially useful when wanting to encrypt/decrypt numerous virtual machines at once because it is easier and a more efficient way of performing the task. We also verified each step by using the PowerCLI command Get-VM | Select Name, Encrypted which provides a list of all the virtual machines and then provides a True/False depending on if they are encrypted or not. To also verify, we went into the vSphere Web Client to check to make sure it reflected correctly in the VM Storage Policies widget.

 

PowerCLI - Show What VMs Encrypted and by Which KMS Server


In this lesson, we will run PowerCLI commands to return the status of encrypted virtual machines, clear the screen, get the default KMS server being used, and list the virtual machines providing if they are encrypted or not and by which KMS server.


 

Clear The Screen

 

  1. In the PowerCLI window, clear the screen by typing the following command:
cls

 

 

PowerCLI - Get-VM | Get-VMEncryptionInfo

 

  1. To get a list of virtual machines, if they are encrypted, and by which KMS server, type the following command:
Get-VM | Get-VMEncryptionInfo

NOTE: As an example, we see that My Encrypted VM1 has the My Encryption Policy assigned to it and has the VMware.Vim.CryptoKeyId.

 

 

PowerCLI - Get-VM | Select name, KMSserver

 

  1. To see which KMS server the encrypted virtual machines were encrypted by, type the following command:
Get-VM | Select Name, KMSServer
  1. We then see that My Encrypted VM1 and My Encrypted VM2 are both encrypted by the HyTrust KMS Cluster 1.

 

 

PowerCLI - Get-DefaultKMSCluster

 

  1. In order to see what KMS Cluster is the default, type the following command:
Get-DefaultKMSCluster
  1. As we see, the HyTrust KMS Cluster 1 is the default KMS cluster as we expected to see.

NOTE: DO NOT close the PowerCLI window, we will need it open for the next few lessons. Also, if you close the PowerCLI window, you will have to rerun the Import-Module PowerCLI command to import the encryption module again.

 

 

PowerCLI - Show What VMs Encrypted and by Which KMS Server - Complete

This lesson we used the command Get-VM | Get-VMEncryptionInfo to give us some details on each of the virtual machines and their encryption related information. We also used the Get-VM | Select Name, KMSServer to list all the virtual machines and if they were encrypted, it provided the information on which KMS server. Then we used the Get-DefaultKMSCluster command to tell us what was the default KMS cluster being used to encrypt the virtual machines.

 

PowerCLI - Change The Default KMS Server


In this lesson, we will run PowerCLI commands to return the value of the current default KMS server. Then we will set a new KMS server as the default KMS server and encrypt another virtual machine with the new default KMS server. And finally, we will run the command to return the value of what server is the default KMS server.


 

Get the Default KMS Server Info

 

  1. In order to see which HyTrust KMS Cluster is currently the default, type the following:
Get-DefaultKMSCluster
  1. We see it returns the answer that the HyTrust KMS Cluster 1 is the default cluster.

NOTE: If we recall, we first installed the HyTrust KMS Cluster 1 first with the HyTrust KMS Server1 in it. The first one installed automatically becomes the default KMS server unless we otherwise tell it not to be the default KMS server.

 

 

Set a New KMS Cluster

 

  1. To set the default cluster to now be the HyTrust KMS Cluster 2, type the following:
Set-DefaultKMSCluster -KMSClusterId "HyTrust KMS Cluster 2"

NOTE: We see that it does not return a value which is the normal behavior and we also did not receive any errors.

 

 

Encrypt My Encrypted VM3

 

  1. We want to be sure now that we switched to a new default KMS server, that we can still encrypt a virtual machine. To do this, type the following command:
Get-VM -Name "My Encrypted VM3" | Enable-VMEncryption
  1. When we type this, it returns a task number showing it successfully ran the command with no errors. So we know that we were able to encrypt the virtual machine using the new default KMS server.

 

 

Get the Default KMS Server Info

 

  1. In order to see which HyTrust KMS Cluster is currently the default, type the following command:
Get-DefaultKMSCluster
  1. We see it returns the answer that the HyTrust KMS Cluster 2 is the default cluster.

NOTE: This is correct since we previously ran the Set-DefaultKMSCluster -KMSClusterId "HyTrust KMS Cluster 2" command to change the default to the second server.

 

 

PwerCLI - Exit

 

 

 

PowerCLI - Change The Default KMS Server - Complete

  1. From within the PowerCLI window, click on the PowerCLI icon in the upper left-hand corner of the interface.
  2. Then type the following command to close out the interface since we are finished using it.
exit

That completes this module which covered using PowerCLI 6.5 Release 1 to do various encryption related tasks on virtual machines. First we ran the Get-DefaultKMSCluster command to see which KMS Cluster/server was the default. Then we ran the command Set-VMEncryptionKey -KMSClusterId "HyTrust KMS Cluster 2" to change the default cluster to now be HyTrust KMS Cluster 2. We then verified that the default cluster had changed and finally, we encrypted a virtual machine to ensure that we could using the new default KMS server.

 

Conclusion


Congratulations on completing Module 3!

In this lab we learned how to add (2) HyTrust KMS servers into the vCenter server to create a trust between them. Once we installed the KMS servers, we then created (2) virtual machines to use for encryption. We then used the vSphere Web Client to create a new Encrypted Storage Policy. After that, we encrypted the (2) virtual machines. Lastly, we then performed numerous PowerCLI commands to encrypt/decrypt virtual machines, change to a new default KMS server, and much more!

Proceed to the next module (Module 4 - Secure Boot for Hosts and VMs), or feel free to skip to any other module below which interests you most.


 

Additional VMworld Resources:

For those of you looking to get more information on VM encryption, we recommend that you attend the below VMworld session conducted by Jase McCarty's.

 

 

VM Encryption Resources:

Below are a few additional resources available to help you get more familiar with the new encryption related vSphere 6.5 feature sets.

NOTE: The links to VMware resources in the lab manuals are meant for reference purposes. The lab environment may or may not be connected to the internet, so you may not be able to view these resources. Feel free to either copy the link manually or take a picture using your mobile device in the event you are unable to reach the link that is provided.

 

 

OPTIONAL: How to End the Lab

 

NOTE: Understand that when you click the END button in the lab, it will close out the lab and delete the associated virtual machines. This means when the lab is re-launched, it will create a new lab instance with new virtual machines, not the ones used previously. Any and all previous settings will be lost and they will be back to the default settings from when the lab is first deployed.

You can now continue to the next module by clicking forward, or use the Table of Contents to skip to another desired Module.

If you'd like to end your lab, click on the END button.

Note: If you end your lab, you will need to re-register for the lab in order to take any other modules.

 

Module 4 - Secure Boot for Hosts and VMs (15 minutes)

Introduction


In this module (Module 4 - Secure Boot for Hosts and VMs), we will walk through the steps to configure Secure for Hosts and Virtual Machines (VM). We will perform the following steps:


 

Secure Boot and UEFI Overview

NOTE: The links to VMware resources in the lab manuals are meant for reference purposes. The lab environment may or may not be connected to the internet, so you may not be able to view these resources. Feel free to either copy the link manually or take a picture using your mobile device in the event you are unable to reach the link that is provided.

UEFI, or Unified Extensible Firmware Interface, is a replacement for the traditional BIOS firmware that has its roots in the original IBM PC.  I would highly recommend reading the Wikipedia overview on UEFI  to get a better understanding of all the capabilities it can present.  I can also recommend the Ubuntu blog article on how they use UEFI. We will focus on how UEFI and Secure Boot relates to ESXi.

In UEFI parlance, Secure Boot is a “protocol” of the UEFI firmware. This capability was designed to ensure that boot loaders are not compromised by validating their digital signature against a digital certificate in the firmware. A typical compromise on your desktop or laptop would be if malware installed a root kit. This would change the digital signature  and the UEFI firmware would check and not allow further booting. UEFI can store whitelisted/valid digital certificates in a signature database (DB) . There is also a blacklist of forbidden certificates (DBX), a Key Exchange Keys (KEK) database and a platform key. These form the basis of a root of trust that begins with the firmware installed on your host.

These digital certificates are used by the  UEFI firmware to validate the boot loader. Boot loaders are typically cryptographically signed and their digital signature chains to the certificate in the firmware.  The default digital certificate in just about every implementation of UEFI firmware is a x509 Microsoft UEFI Public CA cert. Most UEFI implementations also allow for the installation of additional digital certificates. A typical use for this would be if you were developing a custom boot loader that’s signed against your own certificate. You could install that certificate in the UEFI firmware and UEFI would validate your boot loader against it.

Default certificates are part of the firmware installation from your server vendor, not VMware. When you update your UEFI firmware on your server, the digital certificate(s) are included.

 

 

How ESXi builds Upon UEFI and Secure Boot

With ESXi 6.5, we take this capability of the firmware storing digital certificates and validating the boot loader and we build upon that. ESXi is comprised of a number of components. There is the boot loader, the VM Kernel, Secure Boot Verifier and VIBs, or “vSphere Installation Bundles”. Each of these components is cryptographically signed. Let’s step through each of these.

Boot Loader

As mentioned above, the UEFI firmware itself verifies the bootloader’s digital signature to validate bootloader integrity. Normally, with many operating systems, that’s the limit of what happens because the threat of root kits are now mitigated. But not so with ESXi. We go beyond and ensure that all content shipped is cryptographically signed.

The ESXi boot loader is signed with the Microsoft UEFI Public CA cert. This ensures that standard UEFI Secure Boot firmware can validate the VMware boot loader. The boot loader code also contains a VMware public key. This VMware key is used to validate the VM Kernel and a small subset of the system that includes the Secure Boot Verifier, used to validate the VIBs.

VM Kernel

The VM Kernel itself is also cryptographically signed using the VMware public key. The boot loader validates the kernel using the VMware public key it has. The first thing the VM Kernel runs is the Secure Boot Verifier.

Secure Boot Verifier

The Secure Boot Verifier validates every cryptographically signed VIB against the VMware public key. The VMware public key is part of the Secure Boot Verifier codebase. (You can see in the graphic that the VMware Public Key is in two places, the ESXi Boot Loader and the Secure Boot Verifier)

VIB

A vSphere Installation Bundle (VIB) is a “package”. It comprises a file archive (TAR g-zipped file), an XML descriptor file and a digital signature file.  (Read more here:  https://blogs.vmware.com/vsphere/2011/09/whats-in-a-vib.html)

When ESXi boots, it creates a file system in memory that maps to the contents of the vSphere Installation Bundles (VIB).  If the file never leaves the cryptographically signed “package” then you don’t have to sign every file, just the package.

PREREQUISITES:

If you have upgraded your host to 6.5 and haven’t tried enabling Secure Boot then you can run a validation script located on the ESXi host. The script is called:

/usr/lib/vmware/secureboot/bin/secureBoot.py -c

The output either includes Secure Boot can be enabled or Secure boot CANNOT be enabled. If Secure Boot cannot be enabled then see “Possible upgrade issues” above. You may have a situation that requires an clean installation. ESXi will continue to run just fine. However, you won’t be able to take advantage of Secure Boot for ESXi.

 

PSOD’s, unsigned VIBs and File Integrity Monitoring (FIM)

PSOD – Purple Screen of Death

If you already have unsigned vSphere Installation Bundsle (VIB) on your ESXi host and you enable Secure Boot in the firmware then ESXi will boot into a purple screen and tell you which vSphere Installation Bundle (VIB) is unsigned. The error should look similar to this:

To get out of this situation do the following:

You can only get into this situation if you have pre-existing unsigned code installed.

 

Power On Host With Secure Boot Enabled


In this lesson, we will power on a host like normal with the UEFI Secure Boot enabled.


 

Open Google Chrome

 

Do the below step If you are opening a new Google Chrome browser window, otherwise, you can skip this step:

  1. Double-click the Google Chrome icon on the Main Console Desktop.
  2. Or click the Google Chrome icon on the Quick Launch bar.

NOTE: If Google Chrome is already open, continue onto the next step.

 

 

RegionB vCenter Server

 

Do the below step If you are opening a new Google Chrome browser window, otherwise, you can skip this step:

  1. Click on the RegionB vCenter bookmark in the Bookmark Toolbar.

 

 

 

Log Into RegionB vCenter Server

 

If the RegionB vCenter server is already open in a Google Chrome tab, we can skip Steps 1 - 3, otherwise complete the below steps:

  1. Type administrator@corp.local in the username field.
  2. Type VMware1! in the password field.
  3. Then click the Login button.

 

 

Hosts Menu

 

  1. Click on the Home icon at the top of the content pane.
  2. Select Hosts and Clusters from the Home drop-down menu.

 

 

Hosts and Clusters

 

We are now going to power on the nested ESXi host esx-01c.corp.local to use for this lesson on Secure Boot for Hosts.

  1. If necessary, click on the arrow next to the vcsa-01b.corp.local vCenter Server to expand it all the way until you see the list of virtual machines.
  2. Click on the esx-01c.corp.local virtual machine.
  3. Then click on the green arrow in the top of the content pane to power on the esx-01c.corp.local virtual machine.

NOTE: The list of virtual machines may be different in the screen shot compared to the lab environment depending on what module you started with.

 

 

esx-01c.corp.local - Open Console

 

  1. Select the esx-01c.corp.local virtual machine in the left Navigation Pane.
  2. Then click on the virtual machine window to open a console window for it.

NOTE: The list of virtual machines may be different in the screen shot compared to the lab environment depending on what module you started with.

 

 

esx-01c.corp.local - Web Console

 

  1. A pop-up window will come up, keep the default setting of Web Console and click on the Continue button.

NOTE: If you don't get the pop-up window, do not worry and continue on to the next step.

 

 

esx-01c.corp.local - ConsoleWindow

 

  1. Click on the new esx-01c.corp.local Google Chrome tab.
  2. We also see that the host started properly WITHOUT getting the infamous Pink Screen Of Death (PSOD). The reason we started it was to show what the normal process of a host starting up and not receiving any type of error.

NOTE: You may need to give it a minute to fully start up before seeing what is in the screen shot.

 

 

Switch to vSphere Web Client

 

  1. Click on the vSphere Web Client Google Chrome tab to return to the vSphere Web Client interface.

 

 

Power Off esx-01c.corp.local

 

We need to power off the esx-01c.corp.local virtual machine and disable Secure Boot in order to complete the next lesson of installing an unsigned vSphere Installation Bundle (VIB) file successfully. To do this, we need to perform the following steps:

  1. Right-click on the esx-01c.corp.local virtual machine in the left Navigation Pane.
  2. Click on Power from the drop-down menu.
  3. Then click on the Shut Down Guest OS from the drop-down menu.

NOTE: The list of virtual machines may be different in the screen shot compared to the lab environment depending on what module you started with.

 

 

Confirm Guest Shut Down

 

  1. Click on the Yes button in the Confirm Guest Shut Down pop-up window.

 

 

Edit Settings

 

Ensure the virtual machine is completely powered off before performing the below steps:

  1. Right-click on the esx-01c.corp.local virtual machine from the left Navigation Pane.
  2. Click on Edit Settings from the drop-down menu.

NOTE: The list of virtual machines may be different in the screen shot compared to the lab environment depending on what module you started with.

 

 

VM Options

 

  1. Click on the VM Options tab in the Edit Settings pop-up window.
  2. Click on the arrow next to Boot Options to expand it.
  3. Then uncheck the Secure Boot (EFI boot only) check box to clear the check box.
  4. Click on the OK button.

 

 

Power on Host With Secure Boot Enabled - Complete

In this lesson, we simply powered on a virtual version (or nested) ESXi host to show how it should normally boot up to the console screen. We then disabled Secure Boot from the virtual machine VM Options to allow us to complete the next lesson. In the next lesson, we will install an "unsigned vSphere Installation Bundle (VIB)" and ensure the Secure Boot for the host is enabled.

 

Install Unsigned VIB


In this lesson, we will copy an unsigned vSphere Installation Bundle (VIB) ZIP file to the ESXi virtual host (esx-01c.corp.local) directory to prepare to install it. Then we will connect to the virtual ESXi host to run the command to install the unsigned vSphere Installation Bundle (VIB).


 

Hosts and Clusters

 

We are now going to power on the nested ESXi host esx-01c.corp.local so we can connect to it.

  1. If necessary, click on the arrow next to the vcsa-01b.corp.local vCenter Server to expand it all the way until you see the list of virtual machines.
  2. Click on the esx-01c.corp.local virtual machine.
  3. Then click on the green arrow in the top of the content pane to power on the esx-01c.corp.local virtual machine.

 

 

esx-01c.corp.local - Open Console

 

  1. Select the esx-01c.corp.local virtual machine.
  2. click on the virtual machine window to open a console window for it.

NOTE: A pop-up window may come up, if it does, keep the default setting of Web Console and click on the Continue button.

 

 

esx-01c.corp.local - ConsoleWindow

 

  1. Click on the new esx-01c.corp.local Google Chrome tab.
  2. Ensure the virtual machine has fully booted up and you see the login screen that looks like the screen capture.

NOTE: You may need to give it a minute to fully start up before seeing it similar to what is in the screen shot.

 

 

Minimize vSphere Web Client

 

  1. Now minimize the vSphere Web Client by clicking on the Minimize button in the upper right-hand corner of the browser.

 

 

Programs Menu

 

We now need to copy the unsigned vSphere Installation Bundle (VIB) file to the esx-01c.corp.local virtual machine, we will use the WinSCP application to do this.

  1. Click on the Windows button in the lower right-hand corner of the virtual machine.
  2. Then click on the All Programs item from the menu.

 

 

Open WinSCP

 

  1. Click on the WinSCP application from the drop-down menu.

 

 

Connect to esx-01c.corp.local

 

  1. Click on New Site in the menu on the left side of the application.
  2. Type esx-01c.corp.local into the Host name text field.
  3. Type root into the User name text field.
  4. Type VMware1! into the Password text field.
  5. Then click on the Login button to connect to esx-01c.corp.local.

 

 

WinSCP File Location

 

  1. Click on the folder with the Backslash on it to take you to the C:\ drive on the Control virtual machine.

 

 

LabFiles Folder

 

  1. Double-click on the LabFiles folder.

 

 

HOL-1811 Folder

 

  1. Double-click on the HOL-1811 folder.

 

 

ZIP File

 

  1. We should see the ProFTPD-1.3.3-8-offline_bundle.zip file.

 

 

/tmp Folder

 

  1. Double-click on the tmp folder of the virtual ESXi host in the right-hand side of the content pane.

 

 

Copy File

 

  1. Click on the ProFTPD-1.3.3-8-offline_bundle.zip file and drag it over into the tmp file on the virtual ESXi host on the right side of the Content Pane.
  2. Once the file has been copied over, we should see it in the tmp folder now.

 

 

Close WinSCP

 

  1. Click on the "X" in the upper right-hand corner of the WinSCP window to close the application.

 

 

Open Putty

 

We now will use Putty to connect to the virtual host and run the commands to install the unsigned vSphere Installation Bundle (VIB).

  1. Click on the Putty icon in the Task Bar.

 

 

esx-01c.corp.local - Connect via Putty

 

  1. Click on esx-01c.corp.local under Saved Sessions in the Putty Configuration pop-up window.
  2. Click on the Open button.

 

 

esx-01c.corp.local - Login via Putty

 

  1. Once the connection is made and the Putty window opens to the Login as: type root for the user name.
  2. Type VMware1! for the Password.
  3. Then type clear to clear the screen to make it easier to read.

 

 

esx-01c.corp.local - Install Unsigned VIB

 

We will now install an unsigned vSphere Installation Bundle (VIB) to the esx-01c.corp.local host. We have already placed the ProFTPD-1.3.3-8-offline_bundle.zip file in the host's /tmp directory.

  1. Type the following command into Putty: (you can copy the text from the lab manual and drop it into the Putty window, just be sure not to copy any additional characters before or after the command text)
esxcli software vib install -d /tmp/ProFTPD-1.3.3-8-offline_bundle.zip --force --no-sig-check
  1. Verify that it says Operation Finished Successfully.
  2. Type the following command to exit the Putty session:
exit

 

 

esx-01c.corp.local - Shut Down Guest OS

 

Now that we have installed the unsigned vSphere Installation Bundle (VIB), we will shut down the host.

  1. Right-click on the esx-01c.corp.local virtual machine.
  2. Select Power from the drop-down menu.
  3. Select Shut Down Guest OS from the Power drop-down menu.

 

 

Install Unsigned VIB - Complete

We have completed this lesson by installing an unsigned vSphere Installation Bundle (VIB) to the esx-01c.corp.local host. Using this method of installing the vSphere Installation Bundle (VIB), can also be used to install vSphere patches and updates as well if so desired. We then powered it off in order to prepare for the next lesson.

 

Enable Secure Boot and Power On Host


Before powering on the host, we will need to enable Secure Boot in the settings of the host. If working with a normal physical host, we would enable secure boot in the BIOS settings of the host. The precise setting and location in the BIOS of a physical server are usually slightly different from one server's vendor to another.


 

esx-01c.corp.local - Edit Settings

 

  1. Right-click on the esx-01c.corp.local virtual machine.
  2. Select Edit Settings in the drop-down menu.  

NOTE: The list of virtual machines may be different in the screen shot compared to the lab environment depending on what module you started with.

 

 

esx-01c.corp.local - Enable Secure Boot

 

  1. Click on the VM Options tab in the pop-up window.
  2. Click on the check box for Secure Boot (EFI boot only) next to the Secure Boot option.
  3. Click on the OK button.

 

 

esx-01c.corp.local - Start Host

 

  1. Select the esx-01c.corp.local virtual machine.
  2. Click on the green triangle at the top of the content pane to start the esx-01c.corp.local virtual machine.

 

 

esx-01c.corp.local - Open Console

 

  1. Click on the Console Window thumbnail image to open a new browser tab for the esx-01c.corp.local virtual machine to watch the boot process in the console window.

 

 

esx-01c.corp.local - Pink Screen of Death (PSOD)

 

  1. If need be, select the Google Chrome tab for the esx-01c.corp.local virtual machine to watch it boot.
  2. After it boots for a short time, you will eventually see that the Pink Screen of Death (PSOD) will appear showing the status that "UEFI Secure Boot: Failed".

NOTE: This is what was expected because we installed an unsigned vSphere Installation Bundle (VIB) to the host previously. By enabling Secure Boot, it checks to see if there are unsigned vSphere Installation Bundles (VIB) installed and prevents the host from fully booting if there is. It only allows signed vSphere Installation Bundle (VIB) files and allow the host to boot.

 

 

esx-01c.corp.local - Close Tab

 

  1. Click on the "X" of the esx-01c.corp.local Google Chrome tab to close it.

 

 

esx-01c.corp.local - Power Off Host

 

At this time, we want to power off the host so we can disable the secure boot.

  1. Right-click on the esx-01c.corp.local virtual machine.
  2. Select Power from the drop-down menu.
  3. Select Power Off from the Power drop-down menu.

 

 

esx-01c.corp.local - Power Off Host - Confirm

 

We then get a pop-up asking if we are sure that we want to power off the virtual machine.

  1. Click on the Yes button to power off the virtual machine.

 

 

Enable Secure Boot and Power On Host - Complete

In this lesson, we went into the esx-01c.corp.local virtual machines VM Options settings and enabled Secure Boot for it. We then powered on the virtual machine and saw that we received the Pink Screen of Death (PSOD) which was what we expected to see. That is because we had previously installed an unsigned vSphere Installation Bundle (VIB) on the host which is not allowed when Secure Boot is enabled. Lastly, we then powered off the esx-01c.corp.local virtual machine in order to get ready for the next lesson.

 

Disable Secure Boot


In this lesson, we will disable Secure Boot on the esx-01c.corp.local virtual host to allow it to boot normally even when Secure Boot is enabled.


 

esx-01c.corp.local - Edit Settings

 

Now that the esx-01c.corp.local virtual machine is powered off, we can go into the settings to disable Secure Boot.

  1. Right-click on the esx-01c.corp.local virtual machine.
  2. Select Edit Settings from the drop-down menu.

vSphere Installation Bundle (VIB)

 

 

esx-01c.corp.local - VM Options

 

  1. Click on the VM Options tab in the pop-up window.
  2. Click on the arrow next to Boot Options in order to expand it.
  3. Uncheck the Secure Boot (EFI boot only) check box for the Secure Boot option.
  4. Click on the OK button.

 

 

esx-01c.corp.local - Power On Host

 

Now that we have disabled Secure Boot, it should no longer check for unsigned vSphere Installation Bundles (VIB) on the host and boot normally now.

  1. Click on the esx-01c.corp.local virtual machine.
  2. Click on the Green Triangle icon to start the esx-01c.corp.local virtual machine.

 

 

esx-01c.corp.local - Open Console

 

  1. Click on the esx-01c.corp.local virtual machine.
  2. Then click on the Opens a virtual machine console in a separate window icon.

NOTE: You will need to allow the virtual machine a minute or so to boot up fully.

 

 

esx-01c.corp.local - Verify Proper Boot Up

 

We will need to give the virtual machine a minute to fully boot up, once it is fully booted, continue with the following steps:

  1. Click on the esx-01c.corp.local console tab that was opened to show the esx-01c.corp.local virtual machine console window to watch it boot up fully.
  2. Once it has fully booted up, we should see a screen similar to what is reflected in the screen capture showing we no longer receive the Pink Screen of Death (PSOD).

 

 

esx-01c.corp.local - Close Tab

 

  1. Click on the "X" of the esx-01c.corp.local Google Chrome tab to close it.

 

 

Disable Secure Boot - Complete

We have completed the lesson on disabling the Secure Boot for the esx-01c.corp.local virtual machine. Then we powered on the esx-01c.corp.local virtual machine to ensure that it boots normally and we don't receive the Pink Screen of Death (PSOD).

 

Remove Unsigned VIB


In this lesson, we will remove the unsigned vSphere Installation Bundle (VIB) that we had previously installed on esx-01c.corp.local.


 

esx-01c.corp.local - Ensure Powered On

 

We want to now remove the unsigned vSphere Installation Bundle (VIB) that we previously installed. In order to do that, the esx-01c.corp.local virtual machine must be fully up and running.

  1. Verify the esx-01c.corp.local virtual machine is powered on, we will see the green triangle icon on the top of the icon for the virtual machine.
  2. Verify that is is fully up to the login screen by looking at the console icon to see if the image looks like the screen capture.

 

 

Minimize vSphere Web Client

 

  1. In the upper right-hand corner of the browser window, click on the Minimize icon to minimize Google Chrome.

 

 

Launch Putty

 

We now need to launch Putty and connect to esx-01c.corp.local in order to remove the unsigned vSphere Installation Bundle (VIB).

  1. Click on the Putty icon in the Task Bar.

 

 

esx-01c.corp.local - Connect via Putty

 

  1. click on esx-01c.corp.local under Saved Sessions.
  2. Click on the Open button to connect to esx-01c.corp.local.

 

 

esx-01c.corp.local - Login

 

  1. We see that we were logged in with the root account already.
  2. Then when we see it is waiting to have a Password entered,now type VMware1! and hit the Enter key for the password.
  3. Once we are logged in, type clear and hit the Enter key to clear the screen to provide a clean screen.

 

 

esx-01c.corp.local - Remove VIB From Host

 

  1. Type the following command and hit the Enter key to remove the previously installed unsigned vSphere Installation Bundle (VIB):
esxcli software vib remove -n ProFTPD

NOTE: We didn't have to type the full name (ProFTPD-1.3.3-8-offline_bundle.zip ) of the unsigned vSphere Installation Bundle (VIB) that we installed previously since it is the only one installed and with that naming scheme in that particular folder on the host.

  1. Verify that the message says "Operation finished successfully".

 

 

Exit Putty

 

  1. Type exit and hit the Enter key to exit the Putty session.

 

 

Maximize Google Chrome

 

  1. Click anywhere on the minimized Google Chrome browser in the Task Bar to maximize it.

 

 

esx-01c.corp.local - Shut Down Guest OS

 

We no longer need the esx-01c.corp.local virtual machine for the rest of the lab, so we will power it down to reduce resource utilization in the Hands On Lab environment.

  1. Right-click on the esx-01c.corp.local virtual machine.
  2. Select Power from the drop-down menu.
  3. Select Shut Down Guest OS from the Power drop-down menu.

 

 

esx-01c.corp.local - Shut Down Guest OS - Confirm

 

  1. Click on the Yes button to confirm shutting down the OS.

 

 

Remove Unsigned VIB - Complete

In this lesson, we used the "esxcli software vib remove -n ProFTPD" to remove the unsigned vSphere Installation Bundle (VIB) that we had previously installed. At this point, we can now power on and off the host even with Secure Boot enabled and it would power up normally without getting the Purple Screen of Death (PSOD). Then we powered down the host to conserve on lab resources.

 

Secure Boot for Virtual Machines


In this lesson, we will walk through the steps to verify if a virtual machine is enabled for Secure Boot or not using a PowerShell command.


 

w10-base-01b.corp.local - Power On

 

We now want go through the tasks to configure Secure Boot for virtual machines in this lesson. To get started:

  1. Click on the vcsa-01b.corp.local vCenter server in the left navigation pane and expand it out until you see the list of the virtual machines.
  2. Click on the w10-base-01b.corp.local virtual machine.
  3. Click on the Green Triangle icon to power on the w10-base-01b.corp.local virtual machine.

NOTE: The list of virtual machines may be different in the screen shot compared to the lab environment depending on what module you started with.

 

 

w10-base-01b.corp.local - Launch Console Window

 

  1. Click on the w10-base-01b.corp.local virtual machine.
  2. Then click on the Opens a virtual machine console in a separate window icon to open a console window for the virtual machine.

NOTE: The list of virtual machines may be different in the screen shot compared to the lab environment depending on what module you started with.

 

 

w10-base-01b.corp.local - Launch Console Window - Confirm (if needed)

 

You may get this pop-up window, if you do, follow the below steps. If not, you can skip the below steps.

  1. Keep the default value of Web Console.
  2. Click on the Continue button to open the console tab.

 

 

w10-base-01b.corp.local - Console Window

 

  1. Click on the newly opened tab for the w10-base-01b.corp.local virtual machine.

 

 

w10-base-01b.corp.local - Login

 

  1. Click anywhere on the desktop of the virtual machine to get to the Login screen.

 

 

w10-base-01b.corp.local - Login

 

  1. Type in VMware1! for the Password text field.
  2. Then click on the arrow icon to log into the virtual machine.

NOTE: Ignore that on the Login screen that the virtual machine name is w10-base-01a.

 

 

w10-base-01b.corp.local - Launch PowerShell

 

Once fully logged into the virtual machine, we now want to launch the PowerShell command-line tool by:

  1. Right-click on the PowerShell icon in the Task Bar.
  2. Click on Run as Administrator in the PowerShell menu.

 

 

w10-base-01b.corp.local - User Account Control

 

  1. Click on the Yes button to launch PowerShell as an administrator.

 

 

w10-base-01b.corp.local - Confirm VM Secure Boot

 

  1. Type the following command and hit the Enter key to check if UEFI Secure Boot is enabled or not:
Confirm-SecureBootUEFI
  1. We get a return of False from running the command which is expected since we currently do not have Secure Boot enabled.

 

 

Exit PowerShell

 

  1. Type the following command and hit the Enter key to close PowerShell.
exit

 

 

w10-base-01b.corp.local - Shut Down Guest OS

 

We need to shut down the virtual machine in order to enable secure boot in the settings.

  1. Right-click on the Windows button.
  2. Select Shut down or sign out in the drop-down menu.
  3. Select Shut down from the drop-down menu.

NOTE: Keep the Google Chrome tab open for the w10-base-01b.corp.local virtual machine since we will need to return to it again shortly.

 

 

Secure boot for Virtual Machines - Complete

In this lesson, we logged into a Windows 10 virtual desktop and then launched PowerShell with administrative permissions. We then typed the command Confirm-SecureBootUEFI to return a status of False since we had not yet configured Secure Boot for the virtual machine. In the next lesson, we will enable Secure Boot for the virtual machine.

 

Enable Secure Boot for Virtual Machines


In this lesson, we will walk through the steps to configure a virtual machine for Secure Boot.


 

w10-base-01b.corp.local - Edit Settings

 

Now lets click back on the vSphere Web Client tab for the vcsa-01b.corp.local vCenter server.

  1. Then Right-click on the w10-base-01b.corp.local virtual machine.
  2. Select Edit Settings from the drop-down menu.

 

 

w10-base-01b.corp.local - Enable Secure Boot

 

  1. Click on the VM Options tab in the pop-up window.
  2. Select EFI from the Firmware (*) drop-down menu.
  3. Check the box for Secure Boot (EFI boot only).
  4. Click on the OK button.

 

 

w10-base-01b.corp.local - Power On Virtual Machine

 

  1. Click on the w10-base-01b.corp.local virtual machine.
  2. Click on the Green Triangle icon to power on the w10-base-01b.corp.local virtual machine.

 

 

w10-base-01b.corp.local - Tab

 

  1. Return to the w10-base-01b.corp.local virtual machine tab in the browser.

 

 

w10-base-01b.corp.local - Desktop

 

  1. Click anywhere on the w10-base-01b.corp.local desktop to get to the login screen.

 

 

w10-base-01b.corp.local - Login

 

  1. Type VMware1! into the Password text field.
  2. Click on the arrow next to the Password text field to log into the virtual machine.

NOTE: Ignore that on the Login screen that the virtual machine name is w10-base-01a.

 

 

w10-base-01b.corp.local - Console Window

 

  1. Right-click on the PowerShell icon in the Task Bar.
  2. Then click on Run as Administrator to open PowerShell with administrator privileges.  

 

 

w10-base-01b.corp.local - User Account Control

 

  1. Click on the Yes button to continue.

 

 

w10-base-01b.corp.local - Confirm SecureBootUEFI

 

  1. Type the following command and hit the Enter key from within PowerShell:
Confirm-SecureBootUEFI
  1. As we see, the Confirm-SecureBootUEFI command now returns the status of True which reflects that we have enabled Secure Boot on the virtual machine.

 

 

w10-base-01b.corp.local - Close PowerShell

 

  1. Type the following command to close PowerShell.
exit

 

 

w10-base-01b.corp.local - Shut Down

 

We need to shut down the virtual machine since we are finished with it.

  1. Right-click on the Windows icon.
  2. Select Shut down or sign out from the drop-down menu.
  3. Select Shut down from the drop-down menu.

 

 

w10-base-01b.corp.local - Close Tab

 

At this point we are finished using the w10-base-01b.corp.local virtual machine.

  1. Click on the "X" to close the tab for the w10-base-01b.corp.local virtual machine.

 

 

Secure Boot for Virtual Machines - Complete

In this lesson, we learned how to enable virtual machines for EFI SEcure Boot which can be found by going to Edit Settings > VM Options > Boot Options > Firmware > EFI as well as Edit Settings > VM Options > Boot Options > Secure Boot > Secure Boot (EFI boot only). Then we ran the Confirm-SecureBootUEFI PowerShell command twice to confirm if we have secure boot enabled on the virtual machine or not. This provides us another way to check from within the virtual machine without having to go the virtual machine settings in the vCenter server. The command returned a False if secure boot was disabled and a True if it was enabled.

 

Conclusion


Congratulations on completing Module 4!

In this module, we covered the new vSphere 6.5 feature Secure Boot for Hosts and Virtual Machines. This feature ensures that administrators can only install and boot into ESXi images that are authorized by the company ensuring the hosts are secure at all times. Feel free to continue onto module 6, or you can skip ahead to another module.

Proceed to the next module (Module 5- No Cryptography Administrator Roles and Permissions), or feel free to skip to any other module below which interests you most.


 

Secure Boot for Hosts & VMs Resources:

NOTE: The links to VMware resources in the lab manuals are meant for reference purposes. The lab environment may or may not be connected to the internet, so you may not be able to view these resources. Feel free to either copy the link manually or take a picture using your mobile device in the event you are unable to reach the link that is provided.

 

 

OPTIONAL: How to End the Lab

 

NOTE: Understand that when you click the END button in the lab, it will close out the lab and delete the associated virtual machines. This means when the lab is re-launched, it will create a new lab instance with new virtual machines, not the ones used previously. Any and all previous settings will be lost and they will be back to the default settings from when the lab is first deployed.

You can now continue to the next module by clicking forward, or use the Table of Contents to skip to another desired Module.

If you'd like to end your lab, click on the END button.

Note: If you end your lab, you will need to re-register for the lab in order to take any other modules.

 

Module 5 - No-Cryptography Administrator Roles and Permissions (15 minutes)

Introduction


IMPORTANT NOTE: If you have started this module and have continued directly after completing Module 3 (VM Encryption and Encrypted vMotion), you can skip the first two lessons and go directly to the third lesson (Log In Using No-Cryptography User Account). If you have NOT performed Modules 3 prior to starting this module (module 5), we will need to do some extra steps to get the lab ready. First, we will add a single HyTrust KMS server to the vCenter Server which allows us to encrypt virtual machines. Then we will need to encrypt a virtual machine before starting the Log In Using No-Cryptography User Account lesson.

In this module, (No Cryptography Administrator Roles and Permissions), we will discuss the new No-Cryptography Role that has been added in vSphere 6.5. When wanting to use the new security features of virtual machine encryption and encrypted vMotion, we get into needing Key Management Servers (KMS). However, we don't want every single administrator that has administrative access to a vCenter server to be able to encrypt and decrypt objects.

Users with the No cryptography administrator role for an object have the same privileges as users with the Administrator role, except for Cryptographic operations privileges. This role allows administrators to designate other administrators that cannot encrypt or decrypt virtual machines or access encrypted data, but that can perform all other administrative tasks.

Only vCenter Server has the credentials for logging in to the KMS. Your ESXi hosts do not have those credentials. vCenter Server obtains keys from the KMS and pushes them to the ESXi hosts. vCenter Server does not store the KMS keys, but keeps a list of key IDs. vCenter Server checks the privileges of users who perform cryptographic operations. You can use the vSphere Web Client to assign cryptographic operation privileges or to assign the No cryptography administrator custom role to groups of users.

Encryption tasks are possibly only in environments that include vCenter Server. In addition, the ESXi host must have encryption mode enabled for most encryption tasks. The user who performs the task must have the appropriate privileges. A set of Cryptographic Operations privileges allows fine-grained control. If virtual machine encryption tasks require a change to the host encryption mode, additional privileges are required.

Cryptography Privileges and RolesBy default, the user with the vCenter Server Administrator role has all Cryptographic Operations privileges. You can assign the No cryptography administrator role to all vCenter Server administrators who do not need cryptographic privileges.The user with the vCenter Server Administrator role has all privileges by default. You can assign the No cryptography administrator role to vCenter Server users who do not need Cryptographic Operations privileges. The No cryptography administrator lacks the following privileges for cryptographic operations:

To further limit what users can do, you can clone the No cryptography administrator role and create a custom role with only some of the Cryptographic Operations privileges. For example, you can create a role that allows users to encrypt but not to decrypt virtual machines, or that does grant privileges for management operations. See the vSphere Security manual for details.

In this module, we will perform the following tasks:


 

Lab Assumptions

We have already created an Active Directory user account (nocrypto@corp.local) and assigned that account to the No cryptograhy role. We will use the pre-defined account to log into the vCenter Server.

 

Configure Hytrust KMS Server in vCenter Server


IMPORTANT NOTE: If you have started this module and have continued directly after completing Module 3 (VM Encryption and Encrypted vMotion), you can skip the first two lessons and go directly to the third lesson (Log In Using No-Cryptography User Account). If you have NOT performed Modules 3 prior to starting this module (module 5), we will need to do some extra steps to get the lab ready. First, we will add a single HyTrust KMS server to the vCenter Server which allows us to encrypt virtual machines. Then we will need to encrypt a virtual machine before starting the Log In Using No-Cryptography User Account lesson.


 

Launch Google Chrome

 

If Google Chrome is not already open, you can either:

  1. Double-click the Google Chrome icon on the Main Console Desktop.
  2. Or click the Google Chrome icon on the Quick Launch bar.

NOTE: If Google Chrome is already open, click on the New Tab icon to open a new tab.

 

 

RegionB vCenter Server

 

  1. Click on the RegionB vCenter bookmark in the Bookmark Toolbar.

 

 

Log into RegionB vCenter Server

 

If already logged into the RegionB vCenter server, you can skip the below steps. If you aren't, complete steps 1 - 3:

  1. Type administrator@corp.local in the the User name text field.
  2. Type VMware1! into the Password text field.
  3. Click on the Login button.

 

 

Home Menu

 

  1. Click on the Home icon at the top of the screen.
  2. Select Global Inventory Lists in the Home drop-down menu.

 

 

Select vCenter Server

 

  1. Select vCenter Servers in the left Navigation Pane.

 

 

vcsa-01b.corp.local

 

  1. Click on the vcsa-01b.corp.local vCenter Server.

 

 

Add HyTrust Key Manager (KMS) Server

 

In order to use any type of encryption in vSphere, we must first have a Key Management Server (KMS) server up and running. Then we have to add at least (1) KMS server to vCenter server and configure the trust relationship between the KMS and vCenter servers. So the first thing we need to do is add a KMS server to vCenter, perform the following tasks to accomplish this:

  1. Click on the Configure tab in the Content Pane.
  2. Click on Key Management Servers under the More category.
  3. Click on the green + Add KMS... icon in the Content Pane.

NOTE: Be sure that the vcsa-01b.corp.local vCenter server is selected and NOT the vcsa-01a.corp.local vCenter server!

 

 

vcsa-01b.corp,local - Add KMS

 

  1. Keep the default selection <Create new cluster> in the KMS cluster drop-down menu.
  2. Type HyTrust KMS Cluster 1 in the Cluster name text field.
  3. Type HyTrust KMS Server 1 in the Server alias text field.

 

 

vcsa-01b.corp,local - Add KMS (continued)

 

  1. Type kms-01b.corp.local in the server address text field.
  2. Type 5696 in the Server port text field.
  3. Click on the OK button.

 

 

vcsa-01b.corp,local - Default KMS Server

 

  1. Click on the Yes button to accept is as the default KMS server.

 

 

vcsa-01b.corp,local - Trust Certificate

 

  1. Click on the Trust button.

NOTE: Although by clicking the Trust button it leads us to believe that configured the trust relationship between the KMS and vCenter server. However, that is not the case and we have to still manually configure the trust relationship between the servers.

 

 

Create Trust For HyTrust KMS Server 1

 

We see that the HyTrust KMS server is showing the Connection State with a red exclamation point stating Cannot establish a trust connection. With the HyTrust KMS server, we have to establish the trust manually even though we clicked on the Trust button on the previous pop-up window.

To create the trust relationship between the HyTrust KMS Server 1 and the vCenter server:

  1. Select the HyTrust KMS Server 1 (kms-01b.corp.local) from under the HyTrust KMS Cluster,
  2. Click Establish trust with KMS icon.

 

 

Create Trust For HyTrust KMS Server 1 - Upload certificate and private key

 

  1. Click on the Upload certificate and private key radius button.
  2. Click on the OK button.

 

 

Create Trust For HyTrust KMS Server 1 - Upload Certificate

 

  1. Click on the Upload file button at the top half of the pop-up window.

 

 

Create Trust For HyTrust KMS Server 1 - Upload Certificate

 

We have already downloaded this certificate PEM file from the HyTrust KMS server web interface.

  1. Browse to the following path "C:\LabFiles\HOL-1811\vcsa01b\"
  2. Select the vcsa01b.pem file.
  3. Click on the Open button.

 

 

Create Trust For HyTrust KMS Server 1 - Upload Certificate

 

  1. Click on the Upload file button.

 

 

Create Trust For HyTrust KMS Server 1 - Upload Certificate

 

  1. Browse to the following path "C:\LabFiles\HOL-1811\vcsa01b\"
  2. Select the vcsa01b.pem file.
  3. Click on the Open button.

 

 

Create Trust For HyTrust KMS Server 1 - Upload Certificate

 

  1. Click on the OK button.

 

 

Create Trust For HyTrust KMS Server 1 - Trust Normal

 

  1. Verify that we now have a trust between the vCenter Server and the HyTrust KMS Server 1, it should now have a green check mark with a status of Normal.

 

 

Open New Tab

 

  1. Click on the New Tab button to open a new Google Chrome tab.

 

 

Connect to HyTrust KeyControl Page

 

Now we will log into the HyTrust KMS Server to ensure that the status of it is up and operational just to be sure.

  1. Click on the HyTrust KeyControl tab.
  2. Type https://192.168.210.91 into the address bar.

NOTE: Once you type in the IP address, it will automatically redirect you to the https://192.168.210.91/#/login address.

 

 

HyTrust KMS Server - Login

 

  1. Type secroot in the Username text field.
  2. Type VMware1! in the Password text field.
  3. Then click on the Sign-in button.

 

 

HyTrust KMS Cluster - Verify Status

 

Although we only added one HyTrust KMS server and created the trust relationship with vCenter, we still look at the "cluster" within the HyTrust web client to see the status of the server. So ignore the name "cluster" to avoid any confusion of an actual clustered server configuration that we might normally think of.

  1. After logging into the HyTrust KMS Server portal, if you see the green heart image over the CLUSTER tab, then the HyTrust KMS Server is running properly.

NOTE: If you see a red image of the CLUSTER tab, then there is an issue and we need to reboot the HyTrust KMS Server. Continue onto the next steps if it reflects as anything other than a green heart.

 

 

Reboot Default HyTrust KMS Server (if needed)

 

Only do the below tasks if the HyTrust KMS server cluster showed red on the cluster tab, if it showed the green heart, skip the below steps.

  1. Return to the vSphere Web Client by clicking on the vSphere Web Client tab in Google Chrome.
  2. Click on the default HyTrust KMS server kms-01b.corp.local virtual machine.
  3. Click on the Restart on the guest operating system of the selected virtual machines icon.

NOTE: It will take a minute or two for the HyTrust KMS server to come fully online.

 

 

HyTrust KMS Server Portal Tab (if needed)

 

Only do the below steps if the HyTrust KMS server cluster showed red on the cluster tab, if it showed the green heart, skip the below steps.

  1. Click on the HyTrust KeyControl tab in Google Chrome.

 

 

HyTrust KMS Server Portal - Sign-in (if needed)

 

Only do the below steps if the HyTrust KMS server cluster showed red on the cluster tab, if it showed the green heart, skip the below steps.

  1. Type secroot in the Username text field.
  2. Type VMware1! in the Password text field.
  3. Then click on the Sign-in button.

 

 

HyTrust KMS Server Portal - Cluster Status (if needed)

 

Only do the below steps if the HyTrust KMS server cluster showed red on the cluster tab, if it showed the green heart, skip the below steps.

  1. Confirm that we now have a green heart icon over the CLUSTER tab.

NOTE: If we have the green heart over the CLUSTER tab now, that means the HyTrust KMS server is working properly and can provide encryption keys upon request. If for any reason we still do not see the green heart, please ask one of the proctors for assistance by raising your hand either within the Hands On Lab user interface under the Help menu or by literally raising your hand to get a proctors attention.

 

 

Close HyTrust KMSKeyControl Tab

 

  1. Click on the "X" to close the HyTrust KeyControl tab in Google Chrome.

 

 

Configure HyTrust KMS Server in vCenter Server - Complete

We have completed this lesson and the associated tasks of adding a HyTrust KMS server within the vCenter server. We also configured the trust relationships between the KMS server and the vCenter server by uploading certificates of the HyTrust KMS server.

We also see the first HyTrust KMS server that was added is automatically selected as the Default KMS server for the cluster.

 

Encrypt VM Using HyTrust KMS Server 1


IMPORTANT NOTE: If you have started this module and have continued directly after completing Module 3 (VM Encryption and Encrypted vMotion), you can skip the first two lessons and go directly to the third lesson (Log In Using No-Cryptography User Account). If you have NOT performed Modules 3 prior to starting this module (module 5), we will need to do some extra steps to get the lab ready. We will need to encrypt a virtual machine before starting the Log In Using No-Cryptography User Account lesson.


 

Home Menu

 

From within the vSphere Web Client of vcsa-01b.corp.local, we will now go to the Hosts and Clusters view.

  1. Click on the Home icon at the top of the content pane.
  2. Select Hosts and Cluster from the Home drop-down menu.

 

 

Edit VM Storage Policies

 

In the previous lesson, we added a HyTrust KMS server to the vCenter server and created the trust relationship between them. Now that we have a KMS server configured in vCenter, we can encrypt virtual machines by following the below tasks:

  1. Right-click on the w10-base-01b.corp.local virtual machines.
  2. Select VM Policies from the drop-down menu.
  3. Select the Edit VM Storage Policies from the VM Policies drop-down menu.

 

 

Apply VM Encryption Policy

 

Be aware that we had already created a virtual machine Encryption Storage Policy which is what we will be using. After adding a KMS server to vCenter and before trying to encrypt a virtual machine, we must first create a Encryption Storage Policy if we didn't have one already.

  1. Select the VM Encryption Policy from the VM storage policy drop-down menu.  
  2. Click on the Apply to all button.
  3. Then click on the OK button.

 

 

Recent Tasks Pane

 

  1. Wait until the Reconfigure virtual machine tasks reflects it being Completed with a green check mark before moving to the next step.

NOTE: It takes SEVERAL MINUTES to encrypt the disk, please wait until completed.

 

 

w10-base-01b.corp.local - VM Storage Policies Compliance

 

  1. In the content pane, scroll down to the bottom of the page until you see the VM Storage Policies widget.
  2. We should now see that the VM Encryption Policy has been assigned to the virtual machine and is also compliant which is represented by a green check mark.

NOTE: If it doesn't reflect as being compliant in the VM Storage Policies widget, check to make sure the task completed successfully in the Recent Tasks.

 

 

VM Storage Policy - Not Compliant

 

If for any reason the VM Storage Policy widget has no information in it after a minute or two or says that it is not compliant:

  1. Click on the Check Compliance link to update the compliance information.

NOTE: Now after clicking on the Check Compliance link, it should update the information in less than a minute and show complaint. If the status doesn't change, raise your hand for assistance either in the Hands On Lab interface or physically raise your hand to get a proctors attention.

 

 

Encrypt VM Using HyTrust KMS Server - Complete

In this lesson, we applied the VM Encryption Policy to the w10-base-01b.corp.local virtual machine using the vSphere Web Client.

 

Log In Using No-Cryptography User Account


In this lesson, we will log in as the nocrypto@corp.local Active Directory user account which has the No-Cryptography Role assigned to the account already.


 

Navigating vCenter

 

In order to show the No-Cryptography role, we need to first navigate to the Roles selection in vCenter.

 

 

Home Page Options

 

  1. Under the Administration section in the content pane, click on the Roles icon.

 

 

Roles

 

Once we are in the roles section under Administration, we see the list of preconfigured roles to include the No cryptography administrator role. Because this is a predefined role, we are not allowed to make changes to this role. Under roles, we can only create or clone existing predefined roles.

  1. Click on the No cryptography administrator role.
  2. Hover your mouse over the Edit Role Action Pencil icon, as you see, it is grayed out and we are not able to edit the role.
  3. We see that the preconfigured Active Directory user account nocrypto user has been added to the No cryptography administrator role.

 

 

Logout of vCenter Server

 

At this point, we want to log out of the vCenter Server since we are currently logged in as the administrator:

  1. Click on Administrator@CORP.LOCAL drop-down arrow.
  2. Select Logout to log out of the vCenter Server.

 

 

Log in as nocrypto User

 

In order to prove that a user assigned the role No cryptography role can't look at encrypted virtual machines files, etc., we must log in with the pre-defined nocrypto Active Directory user account.

  1. Type nocrypto@corp.local in the User name: text field.
  2. Type VMware1! in the Password: text field.
  3. Click on the Login button.

 

 

Log In Using No-Cryptography User Account - Complete

In this lesson, we verified that the Active Directory account nocrypto user account was assigned to the No-Cryptography Role in the vCenter server. Then we logged in with the nocrypto@corp..local user account. In the next lesson, we will verify that this account is unable to browse the datastore of an encrypted virtual machine or download one of its files.

 

Attempt to Download Encrypted Virtual Machine File


While logged in as the nocrypto@corp.local Active Directory user account, we will try to download a file of an encrypted virtual machine.

IMPORTANT NOTE: If prior to starting this module (Module 5 - No-Cryptography Administrator Roles and Permissions) you performed all the steps in Module 3 & 4, you can skip to the "Verify Virtual Machine Encryption is Enabled" section of this manual. Otherwise, start from the beginning and work your way through all the steps.


 

Minimize Recent Objects & Recent Tasks Panes (if needed)

 

If the Recent Objects and Recent Tasks panes are maximized, proceed with the following steps, otherwise you can skip these three steps:

  1. Click on the Recent Objects Pin icon to minimize the pane at the bottom of the vSphere Web Client.
  2. Click on the Recent Tasks Pin icon to minimize the pane at the bottom of the vSphere Web Client.

 

 

Home Menu

 

If not already in the Hosts and Clusters view, complete the following commands from within the vSphere Web Client:

  1. Click on the Home icon at the top of the content pane.
  2. Select Hosts and Clusters from the Home drop-down menu.

 

 

w10-base-01b.corp.local

 

  1. Once logged in, Click on the arrow by vcsa-01b.corp.local and expand it out until you see the list of all the virtual machines.
  2. Click on the My Encrypted VM1 virtual machine.
  3. Then click on the Summary tab in the content pane.

NOTE: The list of virtual machines may be different in the lab environment than what is in the screen capture depending on if you completed the previous modules prior to doing this module.

 

 

Verify Virtual Machine Encryption is Enabled

 

  1. Scroll down to the bottom of the content pane to where you can see the VM Storage Policies widget.
  2. Verify that in the VM Storage Policy widget that it reflects the virtual machine is currently encrypted and the widget is empty.

 

 

Storage Tab

 

One test to ensure that this nocrypto Active Directory user is correctly restricted is to have the user try to download an encrypted virtual machines files. If configured correctly, they should not be able to download the virtual machines files.

To confirm the role is configured properly for this user:

  1. Click on the Storage icon in the left navigation pane.
  2. Click the arrow next to vcsa-01b.corp.local to expand it until you see the datastore.
  3. Click on the RegionB01-ISCSI01-COMP01 datastore.

 

 

 

Files Tab

 

  1. In the Content Pane, click on the Files tab.

 

 

My Encrypted VM1 Folder

 

  1. Click on the My Encrypted VM1 folder.

 

 

Attempt to Download Encrypted Virtual Machine File

 

  1. Click on the w10-base-01b.corp.local folder in the left side of the content pane.
  2. Select the w10-base-01b.corp.local.vmx file in the content pane. (you may need to expand the name column to see the file extensions)
  3. Click on the Download from Datastore icon to attempt to download the VMX file.

 

 

Login Pop-Up Window

 

Since we are logged into vCenter with the nocrypto@corp.local account, we see that we are unable to download the VMX file because the virtual machine and all its files are encrypted. We know this because of the pop-up box asking for login credentials. If we were logged in as a user that has administrative access to vCenter and is NOT assigned the No Crytography Role, they would be able to download the VMX file.

  1. Click on the Cancel button.
  2. Then click on the "X" in the upper right-hand side of the pop-up window to close it out.

 

 

Hosts and Clusters

 

  1. Click on the Hosts and Clusters icon in the left navigation pane.

 

 

Attempt to Decrypt w10-base-01b.corp.local

 

Now we will try to remove the virtual machine encryption policy while logged in as the nocrypto@corp.local user by performing the following tasks:

  1. Right-click on the w10-base-01b.corp.local virtual machine.
  2. Click on VM Policies from the drop-down menu.
  3. Click on Edit VM Storage Policies from the VM Policies menu.

 

 

Apply Datastore Default Policy

 

  1. Select the Datastore Default from the VM storage policy drop-down menu.
  2. Click on the Apply to all button to apply it to the VM Home folder and Hard disk 1.
  3. Click on the OK button.

 

 

Permission Denied Error

 

  1. Immediately after clicking the OK button in the previous step, we see a "Permission to perform this operation was denied" pop-up that comes up in the lower right-hand corner of the browser.

NOTE: If you missed this, do not worry. We will verify this in the Monitor tab in the next step.

 

 

w10-base-01b.corp.local Tasks

 

To verify that we were unable to change the encryption storage policy on an encrypted virtual machines, we will go look at the Tasks for the My Encrypted VM1 virtual machine.

  1. While still clicked on the w10-base-01b.corp.local virtual machine, click on the Monitor tab in the content pane.
  2. Then click on the Tasks and Events tab.
  3. Tasks should be automatically selected in the left menu of the content pane.
  4. We see that we received an error stating Permissions to perform this operation was denied to decrypt the My Encrypted VM1 virtual machine while logged in with the nocrypto@corp.lcoal account. This was the expected behavior.

 

 

Attempt to Download Encrypted Virtual Machine File - Complete

In this lesson, we logged into the vCenter server with the Active Directory user account nocrypto@corp.local. This account was already assigned to the No-Cryptography Administrators Role in the vCenter Servers. By being be assign the No-Cryptography Administrators Role, that means that the user is not authorized to download an encrypted virtual machines files. It also means that a No-Cryptography Administrator is unable to encrypt/decrypt a virtual machine as well.

 

Attempt to Open a Console of an Encrypted VM


In this lesson, we are going to attempt to open the remote console of a virtual machine that is encrypted. If it is configured correctly, we should not be able to open and see the console of a virtual machine that is encrypted.


 

Power On My Encrypted VM1

 

  1. While still having the My Encrypted VM1 selected, click on the green arrow to power the virtual machine on.

NOTE: The list of virtual machines may be different in the screen shot compared to the lab environment depending on what module you started with.

 

 

My Encrypted VM1 Summary Tab

 

  1. Click on the Summary tab.
  2. Wait until the virtual machine is fully up and running as you see in the screen capture.
  3. Then click on the Opens a virtual machine console in a separate window icon.

 

 

Open Console

 

If you get the Open Console pop-up, do the following:

  1. Click on the Continue button.

 

 

Virtual Machines Console Window

 

  1. We see that after clicking on the open console icon, it opens another tab in the browser. Click on the Open Console browser tab that just opened.
  2. We also see the server error message stating Unable to connect to MKS: Permission to perform this operation was denied.

NOTE: This shows us that anyone assigned to the No-Cryptography Administrator role is also unable to open a console to an encrypted virtual machine ensuring they do not have access to the encrypted virtual machine.

 

 

Close Tab

 

We are now finished with the virtual machine console tab.

  1. Click on the "X" on the tab for the virtual machine console to close it.

 

 

Attempt to Open a Console of an Encrypted VM - Completed

We have completed this lesson which we proved that a user assigned to the No-Cryptography Administrator role should not be able to open the console of a virtual machine that is encrypted.

 

Attempt to Decrypt a VM


While logged in as the nocrypto@corp.local Active Directory user account, we will try to download a file of an encrypted virtual machine.

IMPORTANT NOTE: If prior to starting this module (Module 5 - No-Cryptography Administrator Roles and Permissions) you performed all the steps in Module 3 & 4, you can skip to the "Verify Virtual Machine Encryption is Enabled" section of this manual. Otherwise, start from the beginning and work your way through all the steps.


 

Attempt to Decrypt w10-base-01b.corp.local

 

Now we will try to remove the virtual machine encryption policy while logged in as the nocrypto@corp.local user by performing the following tasks:

  1. Right-click on the My Encrypted VM1 virtual machine.
  2. Click on VM Policies from the drop-down menu.
  3. Click on Edit VM Storage Policies from the VM Policies menu.

 

 

Apply Datastore Default Policy

 

  1. Select the Datastore Default from the VM storage policy drop-down menu.
  2. Click on the Apply to all button to apply it to the VM Home folder and Hard disk 1.
  3. Click on the OK button.

 

 

Permission Denied Error

 

  1. Immediately after clicking the OK button in the previous step, we see a "Permission to perform this operation was denied" pop-up that comes up in the lower right-hand corner of the browser.

NOTE: If you missed this, do not worry. We will verify this in the Monitor tab in the next step.

 

 

w10-base-01b.corp.local Tasks

 

To verify that we were unable to change the encryption storage policy on an encrypted virtual machines, we will go look at the Tasks for the My Encrypted VM1 virtual machine.

  1. While still clicked on the My Encrypted VM1 virtual machine, click on the Monitor tab in the content pane.
  2. Then click on the Tasks and Events tab.
  3. Tasks should be automatically selected in the left menu of the content pane.
  4. We see that we received an error stating Permissions to perform this operation was denied to decrypt the My Encrypted VM1 virtual machine while logged in with the nocrypto@corp.lcoal account. This was the expected behavior.

 

 

Attempt to Download Encrypted Virtual Machine File - Complete

In this lesson, we logged into the vCenter server with the Active Directory user account nocrypto@corp.local. This account was already assigned to the No-Cryptography Administrators Role in the vCenter Servers. By being be assign the No-Cryptography Administrators Role, that means that the user is not authorized to encrypt or decrypt virtual machines.

 

Conclusion


Congratulations on completing Module 5 as well as the entire "HOL-1811-04-SDC - vSphere 6.5 Security Concepts and Implementation" lab!

In this module, we discussed that users with the No cryptography administrator role for an object have the same privileges as users with the Administrator role, except for Cryptographic operations privileges. This role allows administrators to designate other administrators that cannot encrypt or decrypt virtual machines or access encrypted data, but that can perform all other administrative tasks.

In this lesson, we performed several tasks such as:

In this lab (HOL-1811-04-SDC - vSphere 6.5 Security Concepts and Implementation), we covered the following modules:  

Feel free to go back and skip to any other module below in which you may be interested in doing again.


 

No-Cryptography Role Resources:

NOTE: The links to VMware resources in the lab manuals are meant for reference purposes. The lab environment may or may not be connected to the internet, so you may not be able to view these resources. Feel free to either copy the link manually or take a picture using your mobile device in the event you are unable to reach the link that is provided.

Below are some links to additional resources that we think you will find useful regarding the No-Cryptography Administrator Role.

 

 

Since this lab was related to security, we wanted to mention that we also have a lab that relates to Application Security and is the HOL-1842-01-NET- Introduction to VMware AppDefense.

Description:

VMware AppDefense is a datacenter security tool that enables Application Control, Detection, and Response. Its meant to provide foundational elements of Cloud Workload Protection, such as System Integrity, App Control, and Memory Monitoring. In this module, the participant will review an overview of the application platform and components.

 

 

 

OPTIONAL: How to End the Lab

 

NOTE: Understand that when you click the END button in the lab, it will close out the lab and delete the associated virtual machines. This means when the lab is re-launched, it will create a new lab instance with new virtual machines, not the ones used previously. Any and all previous settings will be lost and they will be back to the default settings from when the lab is first deployed.

You can now continue to the next module by clicking forward, or use the Table of Contents to skip to another desired Module.

If you'd like to end your lab, click on the END button.

Note: If you end your lab, you will need to re-register for the lab in order to take any other modules.

 

Conclusion

Thank you for participating in the VMware Hands-on Labs. Be sure to visit http://hol.vmware.com/ to continue your lab experience online.

Lab SKU: HOL-1811-04-SDC

Version: 20171016-132814