VMware vCenter Orchestrator Part 1 – PowerShell Plug-in Installation

Introduction

VMware vCenter Orchestrator (hereafter vCO) was deployed a few weeks back and it’s been decided to deploy PowerShell plug-in for advanced automation workflows. Due to the lack of documentation, it wasn’t straightforward installing & configuring PowerShell host. In this post, I would like to share my experience with you.

For those of you who’s not familiar with vCO, the following documentations would be helpful. Also, attaching PowerShell plug-in documentation.

Pre-requisite

Before starting, there are some pre-requisites to prepare:

  1. PowerShell Host
    • Used Windows 2008 R2
  2. PowerShell plug-in for vCO
  3. IIS
  4. Local admin access

Installing PowerShell Plug-in

This is quite straightforward, please refer to this documentation. Basically, it’s to download and upload a file.

Configuring PowerShell Host

PowerShell plug-in uses Windows Remote Management to connect to the PowerShell host. For it’s authentication, there are 2 methods:

  • Basic Authentication
  • Kerberos Authentication

As there was no Key Distribution Center available i.e. Kerberos cannot be used for the authentication, I will be going through basic authentication with HTTPS.

1. Create self-signed certificate

The documentation suggests using makecert. However, it wasn’t easy enough to install Windows SDK and it’s dependencies. Alternatively, I used IIS to generate a self-signed certificate.

  1. Run IIS Manager
  2. Go to Server Certificates
  3. Click Create Self-Signed Certificate on the right hand corner
  4. Put the friendly name in, FQDN of the PowerShell host

vCO Blog 1

Once the self-signed certificate is created, it’s required to check the right certificate is added in certificate store.

  1. Go to Run and type mmc
  2. Add Snapin and select Certificates
  3. Under Certificates, expand Personal -> certificates and ensure the self-signed certificate created is listed here
  4. Also, expand and check Certificates -> Trusted Root Certification Authorities -> certificates

Now it’s good to go and configure WinRM connection.

2. Configure WinRM connection, HTTPS

As discussed in the introduction, basic authentication will be used. There are two ways, either HTTP or HTTPS. To ensure a secure connection, I will be going through HTTPS (this is also the reason why the certificate was generated previously).

  1. Open Command Prompt as the administrator
  2. Run: winrm create winrm/config/Listener?Address=*+Transport=HTTPS @{Hostname=”host_name”;CertificateThumbprint=”certificate_thumbprint”}
    • host_name is the friendly name you’ve put in while creating the certificate
      certificate_thumbprint detail could be found on mmc. Double click the self-signed certificate and look for Thumbprint under Details tab
  3. Run the following command to confirm winrm is configured properly: winrs -r:https://hostname:5986 -u:administrator -p:password hostname
  4. After this, ensure port 5986 is opened on the Windows firewall. This is the default port for WinRM HTTPS connection.

3. Import SSL certificate to vCO

Before adding a PowerShell host, it’s required to import the SSL certificate to vCO.

  1. Log-in to https://vco_server:8283
  2. Navigate to Network -> SSL Trust Manager
  3. Under Import From URL: https://powershell_host:5986

To remind you again, 5986 is the default port for WinRM HTTPS connection.

4. Enable Basic Authentication on the Group Policy

After step 3, I tried to run Add a PowerShell Host workflow in the vCO client and faced the following issue:

Unauthorized access. Authentication mechanism requested by the client may not be supported by the server. (Dynamic Script Module name: addPowerShellHost#16).

Running winrm get winrm/config/service/Auth, found out that Basic authentication was disabled and this is by default.
Enabled it by winrm set winrm/config/service/Auth @{Basic=“True”}. However, even the Basic authentication was active, I was still suffering from the error message above.

After Googling a bit, one guy suggested to edit Group Policy.

  1. Run Group Policy Edit, gpedit.msc
  2. Navigate to Computer Configuration -> Administrative Templates -> Windows Components -> Windows Remote Management (WinRM)
  3. For both Client and Service, Enable Basic Authentication

vCO Blog 4

Once it was enabled in the Group Policy, I was able to add a PowerShell host.

5. Add a PowerShell Host

Adding a PowerShell host could be done via running the workflow.

  1. Log-in to VMware vCenter Orchestrator Client
  2. Under Design -> Library -> PowerShell -> Configuration -> Add a PowerShell host

vCO Blog 5

vCO Blog 6

Future Work
For the next blog post, I will be going through how to import your PowerCLI script into vCO.

Hope this was helpful.

VMware vCenter Orchestrator Part 1 – PowerShell Plug-in Installation

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s