Learning the vSphere Management Assistant (vMA)

It has been a while since I have worked with vMA. I used it fairly often when I was managing a vSphere environment. I am teaching the vSphere Optimize and Scale class during the winter semester so I spun up the vMA in the homelab to re-introduce myself to it. Using the vMA was part of the VCAP-DCA exam blueprint, but it looks like it has been removed from new VCAP-DCV Deployment exam blueprint (that makes me sad as it is a useful tool).

The vSphere Management Assistant (vMA) is a SUSE Linux virtual appliance which is packaged as an OVF. The vMA includes the vSphere command-line interface (esxcli and vicfg) and the vSphere Perl SDK. The vMA allows you to remotely execute vCLI/esxcli and use resxtop without having to enable SSH on ESXi host.

The vMA has an authentication component, vi-fastpass, which provides a credential store to cache host credentials to allow commands to be executed against target hosts without requiring authentication for each command. The vi-admin user has administrative privileges to add/remove/update servers to the vi-fastpass and the vi-user has read-only privileges to use the vi-fastpass to connect to hosts.

Hosts are added by the vi-admin user using the vifp addserver command. Once the servers have been added to vi-fastpass you can connect to the host using vifptarget. Using vifp listservers will provide a list of the hosts currently configured for vi-fastpass.

As of vSphere 6.0 esxcli/vCLI checks if a trust relationship exists between the machine running the command and the host the command is being run against. To create this trust relationship between the vMA and the ESXi or vCenter Servers registered in vi-fastpass the host’s thumbprint is added to the credential store using /usr/lib/vmware-vcli/apps/general/credstore_admin.pl add -s [server] -t [thumbprint]. Once the thumbprint is added to the Credential Store this trust relationship will exist between the vMA and the vi-fastpass configured hosts. When a target server is set (vifptarget -s [server]) the esxcli or vCLI commands can be executed from the vMA without requiring credentials.

If vCenter Server is added to vi-fastpass you can set the vCenter Server as the vifptarget (vifptarget -s [vcenterserver]) and esxcli commands can be executed against ESXi hosts in vCenter Server inventory by specifying --vihost in the esxcli commands.

Adding a user for a host to the Credential Store using /usr/lib/vmware-vcli/apps/general/credstore_admin.pl add -s [server] -u [user] allows you to execute esxcli commands against the host without setting a vi-fastpass target by specifying the target host (–server) in the esxcli command. Since the credentials are stored in the credential store you will not be prompted for credentials. The esxcli is used just as if you were logged directly into the host.

The vMA also includes a collection of vicfg utilities which can be used to configure ESXi hosts. These utilities can also be executed against vi-fastpass targets. A full list of the vCLI and the equivalent esxcli commands can be found here.

The credstore_admin.pl utility can be used to manage the credential store. Adding, removing, updating servers can be done using credstore_admin.pl.

Still just as easy to setup as I remembered and once configured very easy to use. Check out the vSphere Command-Line Interface Reference for a complete list of esxcli and vicfg commands.

The vMA is a great administrative tool which allows secure remote access to the CLI of hosts without having to manage SSH settings on each individual host.

Leave a Reply

Your email address will not be published. Required fields are marked *

two + 18 =