Skip to main content

VMWare vSphere

Connector name

agtvsphere

Connector type

Executable

Type (UI field value)

VMware vSphere Server

Target system versions supported / tested

The agtvsphere connector is known to work with version 6.7 of vSphere; other versions may work.

Connector status / support

Customer-Verified

Clients may contact Bravura Security support for assistance with this connector. Troubleshooting and testing must be completed in the client's test environment as Bravura Security does not maintain internal test environments for the associated target system.

The agtvsphere connector manages VMWare virtual servers by checking out, powering on/checking in, and powering off virtual machines. This feature is supported in Bravura Security Fabric 9.0 and newer.

The following Bravura Security Fabric operations are supported by the agent for vSphere (agtvsphere):

  • get server information

  • add user to group

  • delete user from group

  • update attributes

  • List:

    • accounts

    • groups

    • members

    • computer objects

The following sections show you how to:

  • Prepare the vSphere target

  • Set the target system address

  • List resources

  • Manage groups

  • Manage check-in/check-out and power management of Instances

See also

Integration with VMWare VSphere/ESXi provides background information and a comparison between agtesxi and agtvsphere .

Preparation

The connector uses vSphere shipped API DLL in order to retrieve information from the vSphere server.

To obtain the DLL, go to https://code.vmware.com/web/sdk/6.7/vsphere-managemen t. The required download from the page is: vSphere Management SDK - version 6.7U1. From the SDK zip the required DLL will be: SDK/vsphere-ws/dotnet/cs/samples/lib/Vim25Service.dll. Copy and place the DLL inside the agent folder alongside the connector agtvsphere .

Create an administrative user, such as psadmin, to allow Bravura Security Fabric to communicate with the vSphere server.

Targeting the vSphere server

Add a vSphere target system in Bravura Security Fabric (Manage the System > Resources > Target systems):

  • ID is a unique value, for example – VSPHERE

  • Type is VMware vSphere Server

  • Address uses the following settings:

    Server The server name or the IP address of the vSphere server.

    (key: server)

    Resource ID Specify the resource ID if you are targeting a specific resource instead of the top level server. You can obtain resource IDs from the resources list file.

    (key: resourceID)

    parentID Specifies a parent target that will be used for listing.

    (key: parentID)

    Validate the server’s certificate when connecting Determines whether to validate the server’s security certificate for SSL connections. Default is "true".

    (key: checkCert)

    The address is entered in KVGroup format:

    {server=<server>[;resourceID=ID][;parentID=ID][;checkCert=<true|false>];}

  • The target system’s administrative credentials are the login credentials for the VSphere server.

  • Appropriate privileges are required for the login; for example, the connector will only list the resources that the supplied credentials can view.

The full list of target parameters is explained in Target System Options .

Listing resources

The list resources (computer objects) operation should be called from the top level VSphere target (one where no resourceID or parentID is specified) to give you the full list of VMs, hosts, datacenters and resource groups from the VSphere instance.

If you wanted to target a resource directly, you would use the name of the resource in the resourceID address line component. The parentID in this case should be the exact name of the target ID that you got the list of resources from.

This allows Bravura Security Fabric to manage the groups at each individual resource level (the groups being sets of VSphere permissions). Users can then request groups to be added to their accounts (group-user-add/delete operations) to get permission on specific resources; for example, when requesting the privilege to use a specific VM.

Specifying the parentID is not strictly required; although it is highly recommended, as this will allow the child targets to simply copy the top-level target’s list files rather than having to connect to the VSphere server and manually list the users and groups. If the parentID is not specified the child resource will connect to the vsphere server directly and list manually. This is especially advantageous in cases where you are going to be creating many child targets through import rules (and ending up with quite a few of them), which would generate a lot of extra calls to the VSphere server if you do not specify the parentIDs.

Managing groups

The "groups" that the connector lists are the roles (privileges) from the VSphere server. The list members operation lists the role assignments at the given level (top level if no resourceID is specified, otherwise for the resource specified by the resource) and will not list inherited role assignments.

Display the group short ID

The ID column by default displays the long ID for the roles on the vSphere server. When using the default roles, this information can be cryptic. To display the short ID instead, the shortid.pss plugin can be configured in DISPLAY GROUPID PLUGIN plugin option.

Further details about configuring this plugin option are explained in Display group IDs .

Managing check-in/check-out and power management of Instances

Bravura Security Fabric can manage VMWare virtual machines where the Bravura Security Fabric can start and stop individual virtual machines as well as containers through Bravura Privilege check-out/check-in process.

Virtual machines and containers are listed as accounts in Bravura Privilege . In these cases, the account ID is prefixed with _VirtualMachine and an underscore followed by the type of container respectively.

Checking out a virtual machine:

  • Ensures only a single person has access to it at any one given time.

  • Allows for authorization and approval of use of the virtual machine via work-flow.

  • Powers on the VM, on demand, so that VMs are not left running.

When the end user is finished with the instance they can check it in, which will:

  • Power off the VM, so that extra running costs are not incurred.

  • Allow access to the VM by other users.

    The virtual machine is automatically checked in after the expiry time, in case the end user forgets to check it back in.

The following example shows how to check-out (or power on) an instance:

  1. Add the VSphere target.

  2. Run psupdate to list accounts (VMs and vApps).

  3. Add an IDAPI user.

  4. Manage the VSphere accounts whose account ID is pre-fixed with _VirtualMachine.

  5. Copy the sample file pxnull-vsphereco.cfg to the instance script folder.

  6. Update the credentials of the IDAPI user in pxnull-vsphereco.cfg.

  7. Configure the plugin points RES_CHECKOUT_SUCCESS and RES_CHECKIN_SUCCESS to execute pxnull.exe -cfg pxnull-vsphereco.cfg.

  8. As an end user, check-out the VM.

  9. After the request is approved, verify the instance is powered on.

  10. Check-in the instance, and verify the instance is powered off.

In this section: