dewyser.net

solutions, scripting and more

Setting up the Carbon Black Workload Appliance — 14th Nov 2023

Setting up the Carbon Black Workload Appliance

/Stefaan/Leave a comment

First thing is to download the OVA. Head over to VMware customer connect and download the Carbon Black Cloud Workload Protection Appliance OVA.

While downloading, in Carbon Black Cloud console under Settings > API Access > Access Levels create a custom API access level with the following permissions:

CategoryPermission NameNotation NameCREATEREADUPDATEDELETEEXECUTE
AppliancesSend workload assets to CBCinventory.collector.vcenterYes
AppliancesAppliances Registration
appliances.registration		YesYesYesYes
DeviceSensor kitsorg.kitsYes
DeviceQuarantinedevice.quarantineYes
DeviceGeneral informationdeviceYes
Live QueryManage querieslivequery.manageYesYesYesYes
VulnerabilityVulnerability Assessment DatavulnerabilityAssessment.dataYesYes
Workload ManagementView Workloads without sensorsworkloads.vcenter.vmYes
Workload ManagementInstall sensor on vCenter workloadworkloads.vcenter.vm_sensor_installYes

Next thing in Carbon Black Cloud console under Settings > API Access > API Keys is to create an API key using the above access level. Save the information together with the ORG KEY that you find on the same page.

Hopefully by now the download has finished. Head over vcenter and deploy the OVA and supply passwords for both root and admin account. Depending on your network infrastructure fill in the network information or leave blank for DHCP.

After deployment power on the appliance, fill in credentials and log in to the appliance.

The appliance is online but it still lacks communication with VMware vCenter and Carbon Black Cloud. Head to Appliance > Registration and provide the information for vcenter and the API information for connection to Carbon Black Cloud console.

If you done everything correctly it should all be green in the dashboard.

However, if like me, you messed up the ip configuration go to the vm console, change the ip information using the bellow command and reboot the appliance.

/opt/vmware/share/vami/vami_set_network eth0 STATICV4 <ip> <mask> <gateway>

Certificates (in the home lab) made easy – renewing esxi certificates — 25th Aug 2023

Certificates (in the home lab) made easy – renewing esxi certificates

/Stefaan/Leave a comment

You could do this manually using vCenter GUI:

Select a Host and go to Configure > Certificate. There you have the option to first refresh and then renew the certificate. Now that your vCenter is an issuing certificate authority with our custom certificates it would issue certificate with the template we configured 2 steps back.

Another option, and certainly the preferred one if you have several hosts is to do this with PowerCLI:

$CertificateManager = Get-View -id (Get-View ServiceInstance).Content.CertificateManager

Get-VMHost | ForEach-Object -Process {$CertificateManager.CertMgrRefreshCACertificatesAndCRLs($_.id)}

Get-VMHost | ForEach-Object -Process {$CertificateManager.CertMgrRefreshCertificates($_.id)}

Now you’ll see that if you visit the esxi servers, they also have a valid certificate.

Certificates (in the home lab) made easy – running vCenter Certificate Manager — 24th Aug 2023

Certificates (in the home lab) made easy – running vCenter Certificate Manager

/Stefaan/Leave a comment

Next is running vCenter Certificate Manager to replace the certificates. Log into vCenter Appliance using ssh and run the following command and select option 2 to replace VMCA root certificate with custom signing certificate and replace all certificates.

/usr/lib/vmware-vmca/bin/certificate-manager

Select Yes to generate all certificates using configuration file. Supply credentials and input values:

Use option 2 to import custom certificate(s) and key(s). Provide the file location of the two files:

Continue the operation using the option Y and wait for completion:

Certificates (in the home lab) made easy – vCenter preparation —

Certificates (in the home lab) made easy – vCenter preparation

/Stefaan/Leave a comment

Next we will set some advance parameters in our vCenter appliance using PowerCli. Below are the parameters that need to be changed:

  • vpxd.certmgmt.certs.cn.country
  • vpxd.certmgmt.certs.cn.email
  • vpxd.certmgmt.certs.cn.localityName
  • vpxd.certmgmt.certs.cn.organizationalUnitName
  • vpxd.certmgmt.certs.cn.organizationName
  • vpxd.certmgmt.certs.cn.state
  • vpxd.certmgmt.certs.daysValid
  • vpxd.certmgmt.certs.minutesBefore

If the vCenter appliance currently has a untrusted certificate we need to change the certificate action so that we can connect to the vCenter.

Set-PowerCLIConfiguration -InvalidCertificateAction:Ignore -Confirm:$false

Next we can connection to the vCenter using the following PowerCLI command:

connect-VIServer vc-01.dewyser.lab

You will receive output name, port and username if the connection is successful.

With the following command you can retrieve the current values for the parameters specified above:

Get-AdvancedSetting -Entity vc-01.dewyser.lab -Name vpxd.certmgmt.certs.*

Next set the parameters to the correct values:

Get-AdvancedSetting -Entity vc-01.dewyser.lab -Name vpxd.certmgmt.certs.cn.country | Set-AdvancedSetting -Value 'BE' -Confirm:$false
Get-AdvancedSetting -Entity vc-01.dewyser.lab -Name vpxd.certmgmt.certs.cn.email | Set-AdvancedSetting -Value 'info@dewyser.lab' -Confirm:$false
Get-AdvancedSetting -Entity vc-01.dewyser.lab -Name vpxd.certmgmt.certs.cn.localityName | Set-AdvancedSetting -Value 'Diksmuide' -Confirm:$false
Get-AdvancedSetting -Entity vc-01.dewyser.lab -Name vpxd.certmgmt.certs.cn.organizationalUnitName | Set-AdvancedSetting -Value 'IT Infrastructure' -Confirm:$false
Get-AdvancedSetting -Entity vc-01.dewyser.lab -Name vpxd.certmgmt.certs.cn.organizationName | Set-AdvancedSetting -Value 'dewyser.lab' -Confirm:$false
Get-AdvancedSetting -Entity vc-01.dewyser.lab -Name vpxd.certmgmt.certs.cn.state | Set-AdvancedSetting -Value 'West-Vlaanderen' -Confirm:$false
Get-AdvancedSetting -Entity vc-01.dewyser.lab -Name vpxd.certmgmt.certs.daysValid | Set-AdvancedSetting -Value '397' -Confirm:$false
Get-AdvancedSetting -Entity vc-01.dewyser.lab -Name vpxd.certmgmt.certs.minutesBefore | Set-AdvancedSetting -Value '5' -Confirm:$false

Check the values again using the asterisk command to check if the changes are applied. The output should look like this:

If the values are set we are ready for the next part.

Certificates (in the home lab) made easy – moving the chain and the key into vCenter appliance —

Certificates (in the home lab) made easy – moving the chain and the key into vCenter appliance

/Stefaan/Leave a comment

For the next part we need two files, one is the chain.pem file from the previous part. The other is the private key from the issuing certificate authority.

If we go back to our pfSense console administrator and head to System > Certificate Manager under CAs we find our certificate for the issuing authority.

Using the key icon, marked in red in the image above we can export the private key of this certificate. Keep this safe as these key allows for the signing of new certificates.

Now we need to copy these two files to our vCenter Appliance. This can be done with scp on macOS using the following command:

scp ./chain.pem root@vc-01.dewyser.lab:/tmp/chain.pem
scp ./issuing.key root@vc-01.dewyser.lab:/tmp/issuing.key

With a successful copy we are ready for the next part.

Note: Depending on your security settings you would need to allow ssh/bash shell for your vCenter appliance. You can allow this using the VMware Appliance Management Interface (VAMI) https://vcenter-fqdn:5480/