Preparing and Adding vRO Powershell Host using SSL and Self-Sign Certificate

In the enterprise world usually per the security policy you should use an official certificate issued by the corporate KMS, but sometimes for PoC or quick crash and burn test, you may need to use a self-singed certificate. I’ve put could of commands in a form of a script which you should execute on your Windows Server (2019 in my case) and then you can add your server as a PS host in the vRO inventory using the PS Plugin.

Configuring the Kerberos Authentication

In case you need to use Kerberos Authentication, first you need to edit krb5.conf file which is located at /usr/java/jre-vmware/lib/security/ in each of the vRO appliances (if you have a multi node cluster).

An example of the file:

[libdefaults]
 default_realm = VLAB.LOCAL
 udp_preferences_limit = 1
 [realms]
 VLAB.LOCAL = {
     kdc = dc.VLAB.LOCAL
     default_domain = VLAB.LOCAL
 }
 [domain_realms]
 .VLAB.LOCAL=VLAB.LOCAL
 VLAB.LOCAL=VLAB.LOCAL

A restart of the vRO appliance is required to apply the changes.

Creating a Self-Sign Certificate and bind to WinRM

$psHostName = $env:computername 
$psHostDomain = $env:userdnsdomain
$psFQDN = $psHostName + '.' + $psHostDomain
#Generate a new Certificate and get its thumbprint
$psHostThumb = (New-SelfSignedCertificate -DnsName $psFQDN -CertStoreLocation Cert:\LocalMachine\My).Thumbprint
#Bind the new Certificate to WinRM lister
$bindCommand =  "winrm create winrm/config/Listener?Address=*+Transport=HTTPS '@{Hostname=""$psFQDN""; CertificateThumbprint=""$psHostThumb""}'"
Invoke-Expression $bindCommand 

It assume that there is no lister created already on HTTPS. if you already have one, you can delete it via the following command:

winrm delete winrm/config/Listener?Address=*+Transport=HTTPS

Adding PS Host to vRO using PS Plugin

Navigate to Library -> PowerShell -> Configuration and Run Add a PowerShell Host workflow

Fill up your data similar to mine

After submission, if everything is alright, the workflow should finish success.

You can verify a proper functionality by checking the available Snapins via the vRO Inventory View:

I hope that will help you! Cheers!

Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *