4 Replies Latest reply on Nov 12, 2013 6:22 AM by Plamen

    How do you disable SSL...

    GuyTC Novice

      How do you disable SSL...in Converter 4.3

       

      I have to migrate some Windows 2003 Servers (non R2 so I must version 4.3). Performance is slow so I want to disable SSL.

       

      In the C:\ProgramData\VMware\VMware vCenter Converter Standalone\converter-worker.xml file there is a section:

       

      <!-- Remove the following node to disable SSL -->

      <ssl>

         <!-- Private key file -->

         <privateKey>ssl/rui.key</privateKey>

         <!-- Certificate file -->

         <certificate>ssl/rui.crt</certificate>

      </ssl>

       

      So I remove the above node from the file and restart the VMware vCenter Converter Standalone Worker service. Then open Converter and click on the "Convert Machine" button I get the following error:

      err1.JPG

       

      Below is the entire unadulterated converter-worker.xml file for 4.3

       

      <Config>

       

      <defaultInstallPath>C:\Program Files (x86)\VMware\VMware vCenter Converter Standalone\</defaultInstallPath>

      <defaultDataPath>C:\ProgramData\VMware\VMware vCenter Converter Standalone\</defaultDataPath>

      <defaultLogPath>C:\ProgramData\VMware\VMware vCenter Converter Standalone\</defaultLogPath>

      <defaultConfigPath>C:\ProgramData\VMware\VMware vCenter Converter Standalone\</defaultConfigPath>

      <requireMntapi>true</requireMntapi>

       

      <vmacore>

         <threadPool>

            <TaskMax>60</TaskMax>

            <IoMax>121</IoMax>

            <IoMin>1</IoMin>

            <SETermination>UnhandledExceptionFilter</SETermination>

         </threadPool>

         <impersonate>true</impersonate>

         <!--

         <useRefTracker>true</useRefTracker>

         <printRefDetails>true</printRefDetails>

         -->

      </vmacore>

       

      <plugins>

         <converter_worker>

            <path>converter-worker.dll</path>

       

            <!-- Remote Converter Agent TCP port number -->

            <agentSoapPort>9089</agentSoapPort>

         </converter_worker>

       

         <converter_agent>

            <path>converter-agent.dll</path>

       

            <!-- Time in milliseconds to delay between enabling write tracking in the

                 bitmap driver and the start of cloning.

              -->

            <delayBetweenTrackingAndCloningMs>2000</delayBetweenTrackingAndCloningMs>

       

            <!-- Time in seconds Converter waits for target VM to boot in Linux P2V -->

            <linuxP2VBootTimeout>1200</linuxP2VBootTimeout>

       

            <!--

               Flag to indicate whether to keep the sparse files in the source in Linux P2V.

       

               If set to false, Converter will not preserve the sparse files

               during P2V. This will make those files take the same disk space as their size

               on the target virtual machine. And this could lead to such problems as not

               enough space in the target virtual machine or timeout error during P2V.

       

               If set to true, Converter will preserve the sparseness of the source files on

               the target. But this could also bring some performance penalties during the

               conversion.

            -->

            <keepSparseFile>true</keepSparseFile>

       

            <!--

               Flag to indicate whether to use non-root login + sudo during Linux P2V

       

               Normally during Linux P2V, the user needs to provide a root login to the source

               in order to query and clone it.

               However with this flag set to true, a user could provide a non-root login

               instead and Converter will use "sudo" to run priveleged commands on the

               source.

               Important to note: when using "sudo", the user has to make sure by herself that

               nothing on the source is blocking "sudo" from remote without a sudo password.

               E.g. they have to make sure no password is requrired when the non-root user is

               using "sudo". And also make sure "sudo" can be used without tty (comment out the

               line "Default requiretty" in the source's /etc/sudoers)

            -->

            <useSudo>false</useSudo>

       

            <!--

               Flag to indicate whether to use each task's Linux P2V source machine's

               password as the root password for the helper VM.

       

               Normally during Linux P2V the helper VM is inaccessible to the user, but this

               option overrides that behavior and allows the user to login to the console

               of the helper VM.

               This could be useful to retrieve logs in case of a catastrophic failure of

               the Converter HelperServer on the helper VM.  It could also be used to debug

               problems with the network of the helper VM.

       

               Important to note: when enabling this option it is highly recommended to

               also disable powerOffHelperVm, so that the helper VM does not disappear

               out from underneath of you when the task is finished.

            -->

            <useSourcePasswordInHelperVm>false</useSourcePasswordInHelperVm>

       

            <!--

               Flag to indicate whether to power off the helper VM when the Linux P2V has

               completed.

       

               Normally during Linux P2V the helper VM is powered off at the end of the

               cloning process, whether the task was canceled, failed, or succeeded.

               If the clone failed or was canceled prior to reaching the reconfiguration

               step, then the target VM will also be deleted.  So this flag prevents the

               target VM from being deleted as well, since you cannot delete a VM when it

               is still powered on.

       

               Important to note: this flag would most commonly be used in combination with

               useSourcePasswordInHelperVm to allow access to the helper VM in case of a

               failure in the helper VM.

            -->

            <powerOffHelperVm>true</powerOffHelperVm>

         </converter_agent>

       

         <ufa_agent>

            <path>ufa-agent.dll</path>

       

            <!-- General Connectivity Options -->

            <enableRemoteAccess>false</enableRemoteAccess>

            <enableNonRootAccess>false</enableNonRootAccess>

            <validatorEnabled>true</validatorEnabled>

       

            <!-- Soap related configuration -->

            <vmodlVersionClassName>converter.version.version2</vmodlVersionClassName>

            <soapAdapterListener>namedPipe</soapAdapterListener>

            <soapPipeName>vmware-converter-worker-soap</soapPipeName>

            <soapUseSSL>true</soapUseSSL>

       

         </ufa_agent>

       

      </plugins>

       

      <log>

         <name>vmware-converter-worker</name>

         <level>info</level>

      </log>

       

      <defaultValues>

         <maxVirtualCPUs>0</maxVirtualCPUs>

         <maxVirtualMemoryMB>0</maxVirtualMemoryMB>

         <minVolumeSizeExtraPercentage>10</minVolumeSizeExtraPercentage>

      </defaultValues>

       

      <!-- Remove the following node to disable SSL -->

      <ssl>

         <!-- Private key file -->

         <privateKey>ssl/rui.key</privateKey>

         <!-- Certificate file -->

         <certificate>ssl/rui.crt</certificate>

      </ssl>

       

      <nfc>

         <readTimeoutMs>120000</readTimeoutMs>

      <!-- Delay is specified in milliseconds, -1 denotes the default.

         <acceptTimeoutMs>-1</acceptTimeoutMs>

         <requestTimeoutMs>-1</requestTimeoutMs>

         <readTimeoutMs>-1</readTimeoutMs>

         <writeTimeoutMs>-1</writeTimeoutMs>

         <fssrvrTimeoutMs>-1</fssrvrTimeoutMs>

         <fssrvrWriteTimeoutMs>-1</fssrvrWriteTimeoutMs>

      -->

      </nfc>

       

      </Config>

        • 1. Re: How do you disable SSL...
          Plamen Master
          VMware Employees

          Hello

           

          First thing - using 4.3 is not a must. 5.5 converts 2k3 sources, too (even w/o R2)

          Second - 4.3 does not encrypt the data traffic by default (see Increasing the cloning performance for details). SSL encryption is not the only performance factor; check disk I/O (both on source machine and destination ESX), network throughput, other processes using the resources, etc...

           

          Regards

          Plamen

          • 2. Re: How do you disable SSL...
            EMILY32 Novice

            Hi

             

            Welcome to the communities.

            You cannot do it on 4.3 .

             

            and when security comes to role there must be little bit performance issue comes to screen.

            Fear defeats more people than any other one thing in the world.
            • 3. Re: How do you disable SSL...
              GuyTC Novice

              Hi thanks for the information.....

              First: You say " 5.5 converts 2k3 sources, too (even w/o R2) " but I get an "Unable to obtain hardware information from the selected machine" error when Converter 5 trys to install the agent on the source server. (dont get this error with 4.3) Also the doc for versions 5 shows only R2 support:

              conpdf.JPG

               

              Second: If 4.3 does not encrypt data by default then why is there a line in the xml file saying <!-- Remove the following node to disable SSL --> and also if you want to enable SSL in 4.3 then how do you "switch it on"

              The 4.3 conversion performance I am getting is the same as what i was getting with version 5 before i switched off SSL

              • 4. Re: How do you disable SSL...
                Plamen Master
                VMware Employees

                It is strange that Converter 5 gives an error. The logs may say more about that. However there are some details. The "Unable to obtain hardware information..." is an error that come from the agent, i.e. it must have been deployed first. Notice that each converter server version comes with its own agent version. So if you have already deployed another agent (e.g. 4.3), remove it before deploying 5.5.

                If you do get this error with agent 5.5. deployed, please upload the agent log file for examination. It can be located on the source machine in %ALLUSERSPROFILE%\Application Data\VMware\VMware vCenter Converter Standalone\logs". (click on "Use advanced editor" to attach files in the post).

                 

                As for the SSL - the tag comment you quote is about securing the communication between converter client and server. Cloning performance is affected by (not) applying SSL to the data transfer which is controlled by the other tag I have mentioned before.

                Honestly, I don't remember for sure whether data transfer can be encrypted in 4.3 (I think it can''t) but you can try tweaking the tag and check whether there is any difference. Don't forget to restart converter worker service after changing the config file.

                 

                Regards,

                Plamen