Replace Usage Meter 4.2 /4.3 certificates

Posted on by Nithin Titta

Note: Before making any changes, it is highly recommended that you take the necessary backup/snapshots of the usage meter VM instances.

Usage meter certificate replacement is rather simple. Usage meter 4.2 Runs on Nginx and the Nginx configuration for the webserver is located here

/opt/vmware/cloudusagemetering/conf/nginx.conf

Let’s take a look at the Nginx configuration for certificate and the key used:

root@is-dhcp35-102 [ / ]# cat /opt/vmware/cloudusagemetering/conf/nginx.conf | grep crt
        ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
root@is-dhcp35-102 [ / ]# cat /opt/vmware/cloudusagemetering/conf/nginx.conf | grep key
        ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;

In order to replace the certificate, Either rename and replace the above-mentioned files with the new CA-signed certificate, key
OR
create a directory and dump the new, signed certificate, key in there and make necessary corrections to the config file.

Do keep in mind that the permissions will need to be set accordingly. (chown and chgrp)


root@is-dhcp35-102 [ /etc/ssl/certs ]# ls -ltrh nginx-selfsigned.crt
-rw-r--r-- 1 root root 1.3K Jun 25 05:02 nginx-selfsigned.crt

root@is-dhcp35-102 [ /etc/ssl/private ]# ls -ltrh
total 4.0K
-rw------- 1 usagemeter usagemeter 1.7K Jun 25 05:02 nginx-selfsigned.key

Once done, restart the usage meter appliance. 

reboot -f

photon 2.0 Network configuration

Posted on by Nithin Titta

file: /etc/systemd/network/10-eth0.network


[Match]
Name=eth0

[Network]
Gateway=192.168.1.1
Address=192.168.1.10/17
DNS=12.168.1.99
DNS=192.168.2.99

DHCP=no

[DHCP]
UseDNS=false

if the DNS= is not specified on the file, resolve.conf will be overwritten with DHCP provided values (if the DHCP flag is not present)

Usage meter 4.x root password reset/unlock

Posted on by Nithin Titta

At the photon logo, press ‘e’ and you will see the editable grub menu:
Append rw init=/bin/bash on the line that starts with “linux”

Press ctrl + x or f10 to continue

you should see a screen similar to the below:

Update: UM 4.3+ you must remount root partition to read-write, run the below command:

mount -o remount,rw /

To unlock the account, type the below command (if you know the password)

/sbin/pam_tally2 -r -u root

to reset the password, run the below 

passwd root

Note: Changing the password does not unlock the account. if the account is locked out, you will need to run the previous command to unlock

Restart the guest of and then boot back into normal appliance and then try logging back in.

vRBC -Exporting a database dump/restoring Database dump

Posted on by Nithin Titta

Instructions to backup/restore the vRBC database below

Backup DB:

export PGPASSWORD=`grep 'jdbc.password=\K.*' /usr/local/tomcat/itbm-server/conf/itfm.properties -Po` 

   /opt/vmware/vpostgres/current/bin/pg_dump --data-only -U itfm_cloud_admin -d postgres -t vcac_user_consumer_mapping > /root/backup.sql

Restore DB

   export PGPASSWORD=`grep 'jdbc.password=\K.*' /usr/local/tomcat/itbm-server/conf/itfm.properties -Po` 

   /opt/vmware/vpostgres/current/bin/psql -U itfm_cloud_admin -d postgres -f /root/backup.sql

Log in/connect to vRBC vPostgres:

/usr/ITFM-Cloud/va-tools/bin/db-client.sh

VRA 7.x health API via bash with results

Posted on by Nithin Titta

Horizon

curl https://localhost/SAAS/API/1.0/REST/system/health -k

[master] cava-n-80-094:/etc/init.d # curl https://localhost/SAAS/API/1.0/REST/system/health  -k
{"AnalyticsUrl":"http://localhost:8080","EhCacheClusterPeers":"","AuditPollInterval":"1000","EncryptionServiceVersion":"unknown","AnalyticsConnectionOk":"true","EncryptionServiceVerified":"Master Keystore verified","FederationBrokerStatus":"ok","ServiceReadOnlyMode":"false","AuditWorkerThreadAlive":"true","BuildVersion":"3.1.0.0 Build 12694081","AuditQueueSize":"0","DatabaseStatus":"connection failure","HostName":"cava-n-80-094.eng.vmware.com","EncryptionStatus":"connected","FederationBrokerOk":"true","EncryptionConnectionOk":"true","EncryptionServiceImpl":"Encryption Service DB","ClusterId":"9b545db2-2c45-4950-b8e3-99e0eb3671d3","EhCacheClusterDiagnostics":"","DatabaseConnectionOk":"false","StatusDate":"2020-02-22 13:38:46 UTC","ClockSyncOk":"true","MaintenanceMode":"false","MessagingConnectionOk":"true","fipsModeEnabled":"false","ServiceVersion":"3.1.0","IpAddress":"10.149.80.94","AuditDisabled":"false","AllOk":"false"}[master]

Elastic search

curl localhost:9200/_cluster/health?pretty=true

[master] cava-n-80-094:~ # curl localhost:9200/_cluster/health?pretty=true
{
  "cluster_name" : "horizon",
  "status" : "yellow",
  "timed_out" : false,
  "number_of_nodes" : 1,
  "number_of_data_nodes" : 1,
  "active_primary_shards" : 5,
  "active_shards" : 5,
  "relocating_shards" : 0,
  "initializing_shards" : 0,
  "unassigned_shards" : 5,
  "delayed_unassigned_shards" : 0,
  "number_of_pending_tasks" : 0,
  "number_of_in_flight_fetch" : 0
}

Recovering from expired certificates on vRo (vRealize orchestrator)- cli methord

Posted on by Nithin Titta

So the other day the vRo certificates had expired. We tried to change it from the vco-control center, after importing the certificates, vRo UI would simply stay there stating restarting in 2 min but nothing happens.

to replace the certificate’s via CLI

Grab the Keystore password

cat  /var/lib/vco/keystore.password
Pge2Nn366tNBqNavkgg6VZOHJuWmkIHAEPNq1DYu

Generate CSR using key tool

keytool -certreq -alias dunes -keypass "Pge2Nn366tNBqNavkgg6VZOHJuWmkIHAEPNq1DYu" -keystore "/etc/vco/app-server/security/jssecacerts" -file "/crt/new.csr" -storepass "Pge2Nn366tNBqNavkgg6VZOHJuWmkIHAEPNq1DYu" -ext SAN=DNS:vip.domain.com,DNS:vro1.domain.com,DNS:vro2.domain.com

Grab the /crt/new.csr and get this signed using the CA, Import the signed cert back into vRo and then import the certificate

keytool -importcert -alias dunes -keypass "Pge2Nn366tNBqNavkgg6VZOHJuWmkIHAEPNq1DYu" -file "/crt/casigned.crt" -keystore "/etc/vco/app-server/security/jssecacerts" -storepass "Pge2Nn366tNBqNavkgg6VZOHJuWmkIHAEPNq1DYu"

Restart Services

service vco-server restart && service vco-configurator restart

Now, copy the signed certificate over to node2 and then run the import command (grab the keystore password from /var/lib/vco/keystore.password)

keytool -importcert -alias dunes -keypass "AzW2gI1QJcNcRNzRX3TyrznhKlYNagKje45fTbSB" -file "/crt/casigned.crt" -keystore "/etc/vco/app-server/security/jssecacerts" -storepass "AzW2gI1QJcNcRNzRX3TyrznhKlYNagKje45fTbSB"

Restart services and you are done!!

service vco-server restart && service vco-configurator restart

vRA Service registration status using bash CLI

Posted on by Nithin Titta

log in to terminal of the vRA appliance and run the below script

curl --insecure -f -s -H "Content-Type: application/json" "https:/$HOSTNAME/component-registry/services/status/current?limit=200" | sed "s/}/\n/g" | grep -E -o ".serviceName.*serviceInitializationStatus.[^,]*" | sed "s/\"serviceTypeId.*,//g" | sed -e "s/\"//g" -e "s/:/=/g" -e "s/,/, /" | sed -e "s/serviceName\|serviceInitializationStatus\|=\|,\|null//g" | column -t | sort | cat -n

looking for a specific record on a Postgres database

Posted on by Nithin Titta

The below script will look for a string in every column of the database. To start off with, Log in to postgres and make sure that you have selected the database.

create a function by running the below script. (copy and paste as it is)

CREATE OR REPLACE FUNCTION search_whole_db(_like_pattern text)
  RETURNS TABLE(_tbl regclass, _ctid tid) AS
$func$
BEGIN
   FOR _tbl IN
      SELECT c.oid::regclass
      FROM   pg_class c
      JOIN   pg_namespace n ON n.oid = relnamespace
      WHERE  c.relkind = 'r'                           -- only tables
      AND    n.nspname !~ '^(pg_|information_schema)'  -- exclude system schemas
      ORDER BY n.nspname, c.relname
   LOOP
      RETURN QUERY EXECUTE format(
         'SELECT $1, ctid FROM %s t WHERE t::text ~~ %L'
       , _tbl, '%' || _like_pattern || '%')
      USING _tbl;
   END LOOP;
END
$func$  LANGUAGE plpgsql;

Now, run the below command, replace ‘mypattern’ with the object you are looking for

SELECT * FROM search_whole_db('mypattern');

Here’s an example:

I am looking for a VM named hosting:57669-1:HTM:Cluster1-Web5 in a vCD database. Below is the output from psql

Type "help" for help.

vcd=# CREATE OR REPLACE FUNCTION search_whole_db(_like_pattern text)
vcd-#   RETURNS TABLE(_tbl regclass, _ctid tid) AS
vcd-# $func$
vcd$# BEGIN
vcd$#    FOR _tbl IN
vcd$#       SELECT c.oid::regclass
vcd$#       FROM   pg_class c
vcd$#       JOIN   pg_namespace n ON n.oid = relnamespace
vcd$#       WHERE  c.relkind = 'r'                           -- only tables
vcd$#       AND    n.nspname !~ '^(pg_|information_schema)'  -- exclude system schemas
vcd$#       ORDER BY n.nspname, c.relname
vcd$#    LOOP
vcd$#       RETURN QUERY EXECUTE format(
vcd$#          'SELECT $1, ctid FROM %s t WHERE t::text ~~ %L'
vcd$#        , _tbl, '%' || _like_pattern || '%')
vcd$#       USING _tbl;
vcd$#    END LOOP;
vcd$# END
vcd$# $func$  LANGUAGE plpgsql;
CREATE FUNCTION
vcd=#
vcd=# SELECT * FROM search_whole_db('hosting:57669-1:HTM:Cluster1-Web5');
  _tbl  | _ctid
--------+-------
 vm_inv | (2,8)
(1 row)