vRealize Orchestrator – Manage Host Lockdown Mode and SSH Service

Most of the time does a high security standard not make you daily operation tasks easier, but anyway, a high security standard is necessary for a VMware Enterprise Environment. You can support the daily operation tasks with tools like VMware vRealize Orchestrator or VMware vRealize Operations Manager. This article will show how to Manage Host Lockdown Mode and SSH Service with vRealize Orchestrator Workflows. To make these workflows easily accessible, the vCenter Server extension is a great setup.

Manage Host Lockdown Mode and SSH Service - vCenter Server Extensioin

If you Environment follows the VMware Security Hardening Guides, the SSH Service should be disabled and Lockdown Mode enabled on all ESXi hosts.

How to manage Host Lockdown Mode and SSH Service

In the vSphere WebClient two different steps need to be done to enable SSH access to the ESXi hosts:

  1. Disable Lockdown Mode
  2. Start SSH Service

When, whatever needs to be done via SSH, is finished the SSH Service needs to be disabled and the Lockdown Mode enabled to keep the environment secure.  This is a great example for a vRealize Orchestrator Workflow to make the daily operation more efficient!

vRealize Orchestrator Workflow

I have decided to create two different workflows for Enable and Disable, even if a single workflow with an additional input might be more efficient. Dedicated Workflows are in my opinion more transparent in the vCenter Server extension.

Enable SSH (and disable Lockdown)

Manage Host Lockdown Mode and SSH Service - Enable SSH and disable Lockdown

Scriptable task – Disable Lockdown

Input: hostSystem – VC:HostSystem

if (hostSystem.config.lockdownMode.value === "lockdownDisabled"){
	System.log(hostSystem.name + " is already not in lock down mode");
	}
	else if (hostSystem.config.lockdownMode.value === "lockdownNormal"){
		hostSystem.exitLockdownMode();
		System.log(hostSystem.name + " is now not in lock down mode.");
	}

Scriptable task – Enable SSH

Input: hostSystem – VC:HostSystem
Input: serviceAction – string “start”
Input: serviceName – string “TSM-SSH”

External Source: Manage Services on your ESXi Hosts with vCO by Burke Azbill

// Reference: https://www.vcoteam.info/articles/learn-vco/240-manage-services-on-your-esxi-hosts-with-vco.html

// Get the hostServiceSystem object from the host:
var hostServiceSystem = hostSystem.configManager.serviceSystem;
 
// refresh services info to make sure all properties are fresh:
hostServiceSystem.refreshServices();

// Get SSH Service
var serviceObj = null;
var services = hostServiceSystem.serviceInfo.service; // Retrieve a list of available services on this host
for each (svc in services){ // now try to match the service key with the service name we're passing in
    //System.log("Checking "+svc.key+" / "+serviceName); // Optionally uncomment the beginning of this line for additional logging
    if(svc.key == serviceName){
        System.log("Service Found! "+svc.label);
 serviceObj = svc;
        break;
    }
}
if (serviceObj == null){ // Make sure we got the service object we are trying to manipulate - if null, throw exception
    throw "unable to locate service: "+serviceName+" on host: "+hostSystem.name;
}

// Process Action
switch(serviceAction){
    case "start": // Only run the startService method if the service is not running
        // before trying to start, make sure running is not true
        if (serviceObj.running != true){
            hostServiceSystem.startService(serviceObj.key);
        }
        break;
 
    case "stop": // Only run the stopService method if the service is running
        if (serviceObj.running == true){
            hostServiceSystem.stopService(serviceObj.key);
        }
        break;
 
    case "restart":
        hostServiceSystem.restartService(serviceObj.key);
        break;
 
    case "uninstall": // Not all services can be uninstalled so we use a try/catch here
        try{
            hostServiceSystem.uninstallService(serviceObj.key);
        }catch(err){
            System.error("Error uninstalling service "+serviceObj.key+" ("+err+")");
            Server.error("Error uninstalling service "+serviceObj.key,serviceObj.key);
        }
        break;
 
    default: // We should never get here so Provide some warning logging and optionally throw an exception if appropriate for your environment
        System.warn("Invalid service action selected");
        Server.warn("Invalid service action selected",serviceAction);
}

Disable SSH (and enable Lockdown)

Manage Host Lockdown Mode and SSH Service - Disable SSH and enable Lockdown

Scriptable task – Enable Lockdown

Input: hostSystem – VC:HostSystem

if (hostSystem.config.lockdownMode.value === "lockdownNormal"){
	System.log(hostSystem.name + " is already in lock down mode");
	}
	else if (hostSystem.config.lockdownMode.value === "lockdownDisabled"){
		hostSystem.enterLockdownMode();
		System.log(hostSystem.name + " is now in lock down mode.");
	}

Scriptable task – Disable SSH

Input: hostSystem – VC:HostSystem
Input: serviceAction – string “stop”
Input: serviceName – string “TSM-SSH”

External Source: Manage Services on your ESXi Hosts with vCO by Burke Azbill

// Reference: https://www.vcoteam.info/articles/learn-vco/240-manage-services-on-your-esxi-hosts-with-vco.html

// Get the hostServiceSystem object from the host:
var hostServiceSystem = hostSystem.configManager.serviceSystem;
 
// refresh services info to make sure all properties are fresh:
hostServiceSystem.refreshServices();

// Get SSH Service
var serviceObj = null;
var services = hostServiceSystem.serviceInfo.service; // Retrieve a list of available services on this host
for each (svc in services){ // now try to match the service key with the service name we're passing in
    //System.log("Checking "+svc.key+" / "+serviceName); // Optionally uncomment the beginning of this line for additional logging
    if(svc.key == serviceName){
        System.log("Service Found! "+svc.label);
 serviceObj = svc;
        break;
    }
}
if (serviceObj == null){ // Make sure we got the service object we are trying to manipulate - if null, throw exception
    throw "unable to locate service: "+serviceName+" on host: "+hostSystem.name;
}

// Process Action
switch(serviceAction){
    case "start": // Only run the startService method if the service is not running
        // before trying to start, make sure running is not true
        if (serviceObj.running != true){
            hostServiceSystem.startService(serviceObj.key);
        }
        break;
 
    case "stop": // Only run the stopService method if the service is running
        if (serviceObj.running == true){
            hostServiceSystem.stopService(serviceObj.key);
        }
        break;
 
    case "restart":
        hostServiceSystem.restartService(serviceObj.key);
        break;
 
    case "uninstall": // Not all services can be uninstalled so we use a try/catch here
        try{
            hostServiceSystem.uninstallService(serviceObj.key);
        }catch(err){
            System.error("Error uninstalling service "+serviceObj.key+" ("+err+")");
            Server.error("Error uninstalling service "+serviceObj.key,serviceObj.key);
        }
        break;
 
    default: // We should never get here so Provide some warning logging and optionally throw an exception if appropriate for your environment
        System.warn("Invalid service action selected");
        Server.warn("Invalid service action selected",serviceAction);
}

vCenter Server Integration

The vCenter Server extension gives a great integration of vRealize Orchestrator Workflows into the vCenter WebClient UI.

Context menu on host level:

The vCenter Server extension gives the possibility to select existing Workflows for each inventory object. I have enabled on host level both Workflows to manage Host Lockdown Mode and SSH Service.

Manage Host Lockdown Mode and SSH Service - vCenter Server Extensioin Context menu

Workflow parameters:

The vCenter WebClient UI shows the same inputs as in vRealize Orchestrator. In this case, the hostSystem is automatically entered.

Manage Host Lockdown Mode and SSH Service - vCenter Server Extension Workflow parameters

Workflow scheduling:

The selected Workflow can be executed immediately or a schedule can be created.

Manage Host Lockdown Mode and SSH Service - vCenter Server Extension Run Now

Manage Host Lockdown Mode and SSH Service - vCenter Server Extension Schedule

 

Leave a Reply