VMware Cloud Community
GuyTC
Enthusiast
Enthusiast
‎11-12-2013 04:19 AM

How do you disable SSL...

How do you disable SSL...in Converter 4.3

I have to migrate some Windows 2003 Servers (non R2 so I must version 4.3). Performance is slow so I want to disable SSL.

In the C:\ProgramData\VMware\VMware vCenter Converter Standalone\converter-worker.xml file there is a section:

<!-- Remove the following node to disable SSL -->

<ssl>

   <!-- Private key file -->

   <privateKey>ssl/rui.key</privateKey>

   <!-- Certificate file -->

   <certificate>ssl/rui.crt</certificate>

</ssl>

So I remove the above node from the file and restart the VMware vCenter Converter Standalone Worker service. Then open Converter and click on the "Convert Machine" button I get the following error:

err1.JPG

Below is the entire unadulterated converter-worker.xml file for 4.3

<Config>

<defaultInstallPath>C:\Program Files (x86)\VMware\VMware vCenter Converter Standalone\</defaultInstallPath>

<defaultDataPath>C:\ProgramData\VMware\VMware vCenter Converter Standalone\</defaultDataPath>

<defaultLogPath>C:\ProgramData\VMware\VMware vCenter Converter Standalone\</defaultLogPath>

<defaultConfigPath>C:\ProgramData\VMware\VMware vCenter Converter Standalone\</defaultConfigPath>

<requireMntapi>true</requireMntapi>

<vmacore>

   <threadPool>

      <TaskMax>60</TaskMax>

      <IoMax>121</IoMax>

      <IoMin>1</IoMin>

      <SETermination>UnhandledExceptionFilter</SETermination>

   </threadPool>

   <impersonate>true</impersonate>

   <!--

   <useRefTracker>true</useRefTracker>

   <printRefDetails>true</printRefDetails>

   -->

</vmacore>

<plugins>

   <converter_worker>

      <path>converter-worker.dll</path>

      <!-- Remote Converter Agent TCP port number -->

      <agentSoapPort>9089</agentSoapPort>

   </converter_worker>

   <converter_agent>

      <path>converter-agent.dll</path>

      <!-- Time in milliseconds to delay between enabling write tracking in the

           bitmap driver and the start of cloning.

        -->

      <delayBetweenTrackingAndCloningMs>2000</delayBetweenTrackingAndCloningMs>

      <!-- Time in seconds Converter waits for target VM to boot in Linux P2V -->

      <linuxP2VBootTimeout>1200</linuxP2VBootTimeout>

      <!--

         Flag to indicate whether to keep the sparse files in the source in Linux P2V.

         If set to false, Converter will not preserve the sparse files

         during P2V. This will make those files take the same disk space as their size

         on the target virtual machine. And this could lead to such problems as not

         enough space in the target virtual machine or timeout error during P2V.

         If set to true, Converter will preserve the sparseness of the source files on

         the target. But this could also bring some performance penalties during the

         conversion.

      -->

      <keepSparseFile>true</keepSparseFile>

      <!--

         Flag to indicate whether to use non-root login + sudo during Linux P2V

         Normally during Linux P2V, the user needs to provide a root login to the source

         in order to query and clone it.

         However with this flag set to true, a user could provide a non-root login

         instead and Converter will use "sudo" to run priveleged commands on the

         source.

         Important to note: when using "sudo", the user has to make sure by herself that

         nothing on the source is blocking "sudo" from remote without a sudo password.

         E.g. they have to make sure no password is requrired when the non-root user is

         using "sudo". And also make sure "sudo" can be used without tty (comment out the

         line "Default requiretty" in the source's /etc/sudoers)

      -->

      <useSudo>false</useSudo>

      <!--

         Flag to indicate whether to use each task's Linux P2V source machine's

         password as the root password for the helper VM.

         Normally during Linux P2V the helper VM is inaccessible to the user, but this

         option overrides that behavior and allows the user to login to the console

         of the helper VM.

         This could be useful to retrieve logs in case of a catastrophic failure of

         the Converter HelperServer on the helper VM.  It could also be used to debug

         problems with the network of the helper VM.

         Important to note: when enabling this option it is highly recommended to

         also disable powerOffHelperVm, so that the helper VM does not disappear

         out from underneath of you when the task is finished.

      -->

      <useSourcePasswordInHelperVm>false</useSourcePasswordInHelperVm>

      <!--

         Flag to indicate whether to power off the helper VM when the Linux P2V has

         completed.

         Normally during Linux P2V the helper VM is powered off at the end of the

         cloning process, whether the task was canceled, failed, or succeeded.

         If the clone failed or was canceled prior to reaching the reconfiguration

         step, then the target VM will also be deleted.  So this flag prevents the

         target VM from being deleted as well, since you cannot delete a VM when it

         is still powered on.

         Important to note: this flag would most commonly be used in combination with

         useSourcePasswordInHelperVm to allow access to the helper VM in case of a

         failure in the helper VM.

      -->

      <powerOffHelperVm>true</powerOffHelperVm>

   </converter_agent>

   <ufa_agent>

      <path>ufa-agent.dll</path>

      <!-- General Connectivity Options -->

      <enableRemoteAccess>false</enableRemoteAccess>

      <enableNonRootAccess>false</enableNonRootAccess>

      <validatorEnabled>true</validatorEnabled>

      <!-- Soap related configuration -->

      <vmodlVersionClassName>converter.version.version2</vmodlVersionClassName>

      <soapAdapterListener>namedPipe</soapAdapterListener>

      <soapPipeName>vmware-converter-worker-soap</soapPipeName>

      <soapUseSSL>true</soapUseSSL>

   </ufa_agent>

</plugins>

<log>

   <name>vmware-converter-worker</name>

   <level>info</level>

</log>

<defaultValues>

   <maxVirtualCPUs>0</maxVirtualCPUs>

   <maxVirtualMemoryMB>0</maxVirtualMemoryMB>

   <minVolumeSizeExtraPercentage>10</minVolumeSizeExtraPercentage>

</defaultValues>

<!-- Remove the following node to disable SSL -->

<ssl>

   <!-- Private key file -->

   <privateKey>ssl/rui.key</privateKey>

   <!-- Certificate file -->

   <certificate>ssl/rui.crt</certificate>

</ssl>

<nfc>

   <readTimeoutMs>120000</readTimeoutMs>

<!-- Delay is specified in milliseconds, -1 denotes the default.

   <acceptTimeoutMs>-1</acceptTimeoutMs>

   <requestTimeoutMs>-1</requestTimeoutMs>

   <readTimeoutMs>-1</readTimeoutMs>

   <writeTimeoutMs>-1</writeTimeoutMs>

   <fssrvrTimeoutMs>-1</fssrvrTimeoutMs>

   <fssrvrWriteTimeoutMs>-1</fssrvrWriteTimeoutMs>

-->

</nfc>

</Config>

0 Kudos
4 Replies
patanassov
VMware Employee
VMware Employee
‎11-12-2013 04:46 AM

Hello

First thing - using 4.3 is not a must. 5.5 converts 2k3 sources, too (even w/o R2)

Second - 4.3 does not encrypt the data traffic by default (see Increasing the cloning performance for details). SSL encryption is not the only performance factor; check disk I/O (both on source machine and destination ESX), network throughput, other processes using the resources, etc...

Regards

Plamen

0 Kudos
EMILY32
Contributor
Contributor
‎11-12-2013 05:41 AM

Hi

Welcome to the communities.

You cannot do it on 4.3 .

and when security comes to role there must be little bit performance issue comes to screen.

Fear defeats more people than any other one thing in the world.
0 Kudos
GuyTC
Enthusiast
Enthusiast
‎11-12-2013 05:52 AM

Hi thanks for the information.....

First: You say " 5.5 converts 2k3 sources, too (even w/o R2) " but I get an "Unable to obtain hardware information from the selected machine" error when Converter 5 trys to install the agent on the source server. (dont get this error with 4.3) Also the doc for versions 5 shows only R2 support:

conpdf.JPG

Second: If 4.3 does not encrypt data by default then why is there a line in the xml file saying <!-- Remove the following node to disable SSL --> and also if you want to enable SSL in 4.3 then how do you "switch it on"

The 4.3 conversion performance I am getting is the same as what i was getting with version 5 before i switched off SSL

0 Kudos
patanassov
VMware Employee
VMware Employee
‎11-12-2013 06:22 AM

It is strange that Converter 5 gives an error. The logs may say more about that. However there are some details. The "Unable to obtain hardware information..." is an error that come from the agent, i.e. it must have been deployed first. Notice that each converter server version comes with its own agent version. So if you have already deployed another agent (e.g. 4.3), remove it before deploying 5.5.

If you do get this error with agent 5.5. deployed, please upload the agent log file for examination. It can be located on the source machine in %ALLUSERSPROFILE%\Application Data\VMware\VMware vCenter Converter Standalone\logs". (click on "Use advanced editor" to attach files in the post).

As for the SSL - the tag comment you quote is about securing the communication between converter client and server. Cloning performance is affected by (not) applying SSL to the data transfer which is controlled by the other tag I have mentioned before.

Honestly, I don't remember for sure whether data transfer can be encrypted in 4.3 (I think it can''t) but you can try tweaking the tag and check whether there is any difference. Don't forget to restart converter worker service after changing the config file.

Regards,

Plamen

0 Kudos