A lot of vRLI customers, including me, were caught off guard in recent weeks that a certificate is expiring on April 30th. I figured taking care of this shouldn’t be a big hassle, but I was wrong. VMware provided a long list of instructions for applying a workaround, which are linked below. Seemed like a lot of trouble for an internal certificate.
I figured VMware wouldn’t leave us all hanging and I decided to wait to see if a patch would be released before the end of the month. I am glad I did because patch 8.12 was released on the 20th. Applying the patch resolves all of the vulnerabilities (CVE-2023-20864, CVE-2023-20865) and the upcoming expiration of the certificate. I upgraded from 8.10.2 and had no issues with the upgrade. Very fast and straightforward with taking a powered off snapshot and applying the update through the web UI. Check out the link below for the VMware KB on this update.
The patch also provides more. vRLI is now VMware Aria Operations for Logs within the product. Will everyone call it vAOL? I figured the name change will happen sometime soon, but I didn’t think it would on a small patch. There are also a few other updates. Check out the link below for the release notes.
Even if you document every password you created, you may still run into password related issues. Root password expirations are easy ones to miss, especially when you don’t know when the password is going to expire. Most vRealize products expire root accounts password after 365 days. I recommend disabling password expiration for root and admin passwords for vRealize products if you can. Of course, still rotate the passwords. That way you are not in a tough spot if you miss the chance to easily change it. Either way, make a reminder in your PAM to change the passwords if you have a policy to rotate passwords. Below are some tips if you cannot log in to one of your vRealize products.
For example, if you are sure you know you are using the correct password to SSH with root and it’s saying your password is wrong, start off with rebooting each node one at a time. Then SSH into each node with the current password. Hopefully, you’ll be prompted that the password expired and to change it. This also works for NSX Manager nodes. If it’s an account that was recently locked out, waiting about one hour worked for me in the past.
VMware has documentation for each vRealize product to reset the root password. It’s generally booting into single user mode when using Photon OS. It also has ways in documentation to disable the password expirations.
If you are using vRealize Lifecycle Manager, make sure to update passwords in its Locker. Your accounts will lock out if you don’t do it.
Configure SMTP for everything that has the ability and set email addresses for all accounts. Password reset links are emailed out for Log Insight. Therefore, best to have this squared away ahead of time in case a user needs their password reset.
This is just a quick article that I have been meaning to do. I upgraded my Log Insight server. After the upgrade, it wasn’t collecting logs from my vCenter Servers. I had to accept a certificate for each vCenter Server and then it worked again. The setting is in Log Insight, under administration, and vSphere. I forgot to take a screenshot when I saw the error. Below is the location to accept the certificate.
There is very useful integration between vRealize Operations, Log Insight, and vCenter Server. The products can be tied to each other to make them more seamless and easier to navigate. A few roles are required to be created to restrict permissions. I have the broad steps and links to the VMware articles below that detail the specific permissions and documentation. Go through the steps and then you will be able to launch in context.
As defined by VMware; launch in context is a feature in vROps that lets you launch an external application via URL in a specific context. The context is defined by the active UI element and object selection. Launch in context lets the Log Insight adapter add menu items to a number of different views within the Custom user interface and the vSphere user interface of Operations Manager.
Create an AD user account for Log Insight and vROps to be used to integrate with the applications
Create roles in the vCenter Server with the appropriate permissions for Log Insight and vROps
Assign the service accounts their respective roles at the global permission level