VMware Cloud Community
MarcBouchard
Enthusiast
Enthusiast

Configuring VAMI with PowerShell

I am working on scripts to extract VCSA VAMI settings and ensure all of our deployments are consistent. 

I'm trying to figure out how to get the status of the "Password Expiration Settings" value and to disable/enable it depending on the corporate policy.

Any insight would be appreciated!

Thanks,

Marc

Reply
0 Kudos
12 Replies
MarcBouchard
Enthusiast
Enthusiast

Forgot to mention: Running VCSA 6.7U1
Reply
0 Kudos
LucD
Leadership
Leadership

Afaik, you can only do this via the CLI through a SSH session.
I use the Posh-SSH module to have SSH functionality.

I get the credentials for the VAMI REST API and the VAMI SSH access via the VICredentialStore, which I use as a credentials repository.

$vamiHostName = 'vcsa.mylocal.lab'

$vamiStoreName = 'vami'

$cmd = @'

shell

chage -l root

'@

# Get the VAMI REST API credentials

$vamiSSOStore = Get-VICredentialStoreItem -Host $vamiHostName

$secPswd = ConvertTo-SecureString $vamiSSOStore.Password -AsPlainText -Force

$vamiSSOCred = New-Object System.Management.Automation.PSCredential ($vamiSSOStore.User, $secPswd)

# Get the VAMI SSH credentials

$vamiStore = Get-VICredentialStoreItem -Host $vamiStoreName

$secPswd = ConvertTo-SecureString $vamiStore.Password -AsPlainText -Force

$vamiCred = New-Object System.Management.Automation.PSCredential ($vamiStore.User, $secPswd)

# Check if SSH is enabled

Connect-CisServer -Server $vamiHostName -Credential $vamiSSOCred | Out-Null

$sshService = Get-CisService -Name com.vmware.appliance.access.ssh

$sshEnabled = $sshService.get()

Disconnect-CisServer -Server $vamiHostName -Confirm:$false

# Fetch the password expiration settings

if($sshEnabled){

    $session = New-SSHSession -ComputerName $vamiHostName -Credential $vamiCred –AcceptKey

    $result = Invoke-SSHCommand -SSHSession $session -Command $cmd

    Remove-SSHSession -SSHSession $session | Out-Null

    $result.Output

}

else{

    Write-Output "SSH is not enabled"

}

The output is something like this

vami-password.jpg


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Reply
0 Kudos
MarcBouchard
Enthusiast
Enthusiast

Thanks Luc. I was trying to do this with a built-in way, not really hacking my way through a workaround using SSH...

That's the 2nd request I post that you answered where there is no built-in API for what I'm looking for. Sucks that they can't build a complete API 😞 How many settings are there in the VAMI? Not that many, so shouldn't be that hard to provide APIs for these functions. Even better, I used the JSON answer files to deploy the vcenters, why isn't there configuration options for all settings for the appliance in there?

VMware has done very good things in many aspects but I feel they're cutting corners in some areas. And with SDDC/Automation/DevOps/ConfigAsCode, I wish they would make these things available sooner than later!

Thanks again!

Reply
0 Kudos
LucD
Leadership
Leadership

They, VMW, are still developing the REST API, while in parallel maintaining the SOAP API, and each vSphere release new features are being added.

I suspect it is a matter of time and resources.

So my solution does not work for you, or is not acceptable for you I gather?


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Reply
0 Kudos
MarcBouchard
Enthusiast
Enthusiast

I'm writing a script that reads various settings and creates a custom object with the result to give me a summary of the settings I want to manage. I'd have to filter out the result and search through the text etc... I also need to be able to update/change that setting if it's not compliant with what we want. I was hoping for a REST/SOAP get/set type of option...

Thanks for your time and effort 🙂 

Reply
0 Kudos
LucD
Leadership
Leadership

I just provided the raw text that is returned, filtering out the actual data is not a big deal in PowerShell.
But no, no API for this afaik.


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Reply
0 Kudos
sully7404
Contributor
Contributor

is there a way to set the root password for the vCenter appliances VAMI via powerCLI? I'm trying to set all of my vCenter appliance's root passwords to the same password at the same time, instead of having to login to each VAMI.

Reply
0 Kudos
LucD
Leadership
Leadership

Afaik only via that same method (SSH) I provided earlier in this thread.


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Reply
0 Kudos
RonaldMartens
Contributor
Contributor

H

Reply
0 Kudos
RonaldMartens
Contributor
Contributor

Did you already found a way to update your VAMI appliances passwords through PowerCLI?

I'm curious if you found a way with the API or not.

Reply
0 Kudos
LucD
Leadership
Leadership

When you have the latest PowerCLI version, with the VMware.Sdk auto-generated modules, you can use the REST API rather straightforward.

For example, I now change the password for the root account on my VCSA like this

$vcsaFQDN = 'vcsa.domain'
$vcsaUser = 'administrator@vsphere.local'
$oldPswd = '<old password>'
$newPswd = '<new password>'

# VCSA credentials are retrieved via VICredentialStore,
# but any method to get the credentials will work

$viCred = Get-VICredentialStoreItem -Host $vcsaFQDN -User $vcsaUser
$cred = New-Object -TypeName PSCredential -ArgumentList $vcsaUser,(ConvertTo-SecureString -String $viCred.Password -AsPlainText -Force)

Connect-VIServer -Server $vcsaFQDN -Credential $cred

$rootUpd = Initialize-LocalAccountsUpdateConfig -Password $newPswd -OldPassword $oldPswd
Invoke-UpdateUsernameLocalAccounts -LocalAccountsUpdateConfig $rootUpd -Username 'root'

Disconnect-VIServer -Server $vcsaFQDN -Confirm:$false

 


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

RonaldMartens
Contributor
Contributor

Thanks @LucD, I'll give that a go!

Reply
0 Kudos