vRealize Orchestrator – Manage Host Lockdown Mode and SSH Service

Most of the time does a high security standard not make you daily operation tasks easier, but anyway, a high security standard is necessary for a VMware Enterprise Environment. You can support the daily operation tasks with tools like VMware vRealize Orchestrator or VMware vRealize Operations Manager. This article will show how to Manage Host Lockdown Mode and SSH Service with vRealize Orchestrator Workflows. To make these workflows easily accessible, the vCenter Server extension is a great setup.

Top vBlog 2018 Voting

Nehmen Sie an der Umfrage teil, um Ihre Stimme abzugeben und belohnen Sie die besten Blogger für ihre harte Arbeit und ihr Engagement, indem Sie sie wissen lassen, dass Sie sie schätzen.

Manage Host Lockdown Mode and SSH Service - vCenter Server Extensioin

If you Environment follows the VMware Security Hardening Guides, the SSH Service should be disabled and Lockdown Mode enabled on all ESXi hosts.

How to manage Host Lockdown Mode and SSH Service

In the vSphere WebClient two different steps need to be done to enable SSH access to the ESXi hosts:

  1. Disable Lockdown Mode
  2. Start SSH Service

When, whatever needs to be done via SSH, is finished the SSH Service needs to be disabled and the Lockdown Mode enabled to keep the environment secure.  This is a great example for a vRealize Orchestrator Workflow to make the daily operation more efficient!

vRealize Orchestrator Workflow

I have decided to create two different workflows for Enable and Disable, even if a single workflow with an additional input might be more efficient. Dedicated Workflows are in my opinion more transparent in the vCenter Server extension.

Enable SSH (and disable Lockdown)

Manage Host Lockdown Mode and SSH Service - Enable SSH and disable Lockdown

Scriptable task – Disable Lockdown

Input: hostSystem – VC:HostSystem

Scriptable task – Enable SSH

Input: hostSystem – VC:HostSystem
Input: serviceAction – string “start”
Input: serviceName – string “TSM-SSH”

External Source: Manage Services on your ESXi Hosts with vCO by Burke Azbill

Disable SSH (and enable Lockdown)

Manage Host Lockdown Mode and SSH Service - Disable SSH and enable Lockdown

Scriptable task – Enable Lockdown

Input: hostSystem – VC:HostSystem

Scriptable task – Disable SSH

Input: hostSystem – VC:HostSystem
Input: serviceAction – string “stop”
Input: serviceName – string “TSM-SSH”

External Source: Manage Services on your ESXi Hosts with vCO by Burke Azbill

vCenter Server Integration

The vCenter Server extension gives a great integration of vRealize Orchestrator Workflows into the vCenter WebClient UI.

Context menu on host level:

The vCenter Server extension gives the possibility to select existing Workflows for each inventory object. I have enabled on host level both Workflows to manage Host Lockdown Mode and SSH Service.

Manage Host Lockdown Mode and SSH Service - vCenter Server Extensioin Context menu

Workflow parameters:

The vCenter WebClient UI shows the same inputs as in vRealize Orchestrator. In this case, the hostSystem is automatically entered.

Manage Host Lockdown Mode and SSH Service - vCenter Server Extension Workflow parameters

Workflow scheduling:

The selected Workflow can be executed immediately or a schedule can be created.

Manage Host Lockdown Mode and SSH Service - vCenter Server Extension Run Now

Manage Host Lockdown Mode and SSH Service - vCenter Server Extension Schedule

 

Leave a Reply