Archive for the ‘Certification’ Category

CCNA Data Center exam experience 640-911 DCICN

November 17th, 2013 3 comments

And another exam done last Friday.

This time it was not VMware but something different, as I kinda run out of VMware exams to take and need a new hobby to spend my time on. As the Microsoft route for certifications seems to get an overhaul every couple of years by now, I wanted to invest my learning in something a little bit more stable. Additionally I wanted to broaden my knowledge a little bit more on the actual infrastructure side than only dealing with the operation, guest OS and management side which I do in my day to day work.

The choice therefore easily was won by Cisco. As the data center track also includes virtualization I decided to start with that instead of going the classical routing and switching track. The CCNA data center is a 2 exam certification without any choice on exams, you will need to pass the 640-911 (which concentrates on data center networking concepts) and the  640-916 (which concentrates on unified computing, storage, virtualization and also some networking).

The exam blue print is extremely accurate and I did not get any bad surprises during the exam. If you have a look at the weight of the different topics on the overview page linked below you will notice that it is not as heavy on subnetting as one would imagine (every time I read of Cisco exams so far there was always some tips for subnetting in the posts and also some favourite links for the preparation, if you don’t like subnetting, this seems to be your track of choice).

A study tip from the training videos was to basically go through the blue print and look for technical terms, go to the Cisco documentation and read up the overview or summary of that term. I found that to be pretty accurate when comparing the depths of the topics asked, this is an entry level certificate therefore it requires a more broad than deep approach to certain topics. Still you should be able to configure everything that is asked in the blueprint and even more important be able to troubleshoot for misconfiguration (show commands are your friend).

One thing that really bugged me is the lack of a calculator during the exam, and yes while I agree that we should be able to do the maths by hand, it is tedious and error prone and no one does it in the real world, that is what calculators were invented for. So you should be decently fast with your binary math.

Overall if you prefer to have a compiled study guide I can only recommend the book authored by Todd Lammle and John Swartz, I highly enjoyed the writing style (while I also liked the technical style of Wendell Odom this is just completely different and enjoyable to read) and it covers all the exam topics with a lot of practices and exercises from cover to cover. If you are not in spending any money except the exam fee I also compiled some study resources for the more important topics below (this is not intended to be a complete list though).

Study resources:

Exam tutorial
Internetworking Technology Handbook
DCICN Overview
Data Center Training Videos
Nexus 5000 Security Configuration Guide
ACL examples – Just be sure to follow the NX-OS syntax as these examples are for IOS
Nexus 5000 Layer 2 Switching Configuration Guide
Nexus 5000 Unicast Routing Configuration Guide
CCNA Data Center – Introducing Cisco Data Center Networking Study Guide: Exam 640-911
A little bit of access to actual hardware doesn’t hurt either (or the simulator from Todd Lammle)

Categories: CCNA DC, Certification Tags:

VCAP-CID experience

November 11th, 2013 2 comments

At the end of October I took the VCAP-CID exam and as this is still the time right after vSphere 5.5 being released I didn’t actually study as hard for it as I wanted to (didn’t even find any time to actually read the blueprint properly, strongly advising people attempting to take the exam to do so nonetheless).

I was assured that the exam is based on version 5.1 of vSphere and vCloud Director.

This was my 4th VCAP exam so by now I am used to sit the exam for a long time and just powering through those 3 hours (I haven’t figured out on how to get the 30 minutes extra for not being a native English speaker even though I am residing in an English speaking country right now).

As with the VCAP-DCD you can not go back on questions, your answer is final and you will want to pace yourself through it as it is less time than the VCAP-DCD while still presenting more questions. You will also still face the 6 design tool questions.

As a rule of thumb I spent 12 minutes per Visio style question (maybe 30 seconds longer when I just needed some more connections) and then clicked next to see the full exam. Which left me with a little over one minute per drag and drop or multiple choice question. I felt that a lot of the hiccups I experienced in the VCAP-DCD  have been corrected for the Visio type of questions. I could move elements around without whole parts of the design going off screen and therefore having to start all over again. Also connecting the single elements seems to have improved a little (it still isn’t perfect though).

The only real study resource I used was the vCloud Architecture Toolkit (vCAT), a free download going through all. I also read the vCloud Director chapter in Scott Lowes vSphere Design 2nd Edition but that information is by no means intended to be a study resource for this specific exam.

Gregg Robertson put together a very decent list of resources for those who can put more time into studying which can be found at

For those who want some extra tips and tricks for studying.

  1. Know the VMware process of designing, you will be tested on this, your own process is no good in this exam if it differs from the VMware view
  2. Be able to distinguish between conceptual, logical and physical designs
  3. Know how changes in the vCloud Director layer actually translate to the vSphere layer
  4. Know how design decisions will affect availability, security, manageability, performance, recoverability
  5. Be familiar with disaster recovery concepts
  6. Be familiar with translating business needs into actual decisions while fulfilling the requirements, trying mitigate risks and work around constraints and be able to map those needs to the allocation models within vCloud Director
  7. Know all the different cloud concepts, there is more than one
  8. Be able to look at things from a business point of view and explain certain user roles involved in a cloud deployment
  9. Know the software minimum requirements, recommended configuration and configuration limits for the vCloud and vSphere stack
Categories: Certification, VCAP Tags:

VCAP-CIA objective 3.4 – Manage an Organization

September 9th, 2013 No comments

The blueprint states the following skills needed to cover this objective.

  • Create and manage Organizations
  • Manage Organization policies and settings

The process to create an Organization in vCloud Director is described in the English version of the vCloud Director Administrator’s Guide on pages 28 – 32 and the following kb article. Creating an Organization in VMware vCloud Director To create an Oganization in vCloud Director simply click the according link on the home screen which will bring up a wizard.


Next fill out the organization name, keep it short as this will be part of the URL that is called to access the organization. You can actually set a longer name in the Organization full name field which will appear in the browser header and an optional description.


The next screen gives you the choice for directory services, you can choose between none which basically means you will need to create the users in vCloud Director manually and they are stored in the vCloud Director database. You also have the choice to connect to the same LDAP system as the vCloud Director provider. You can choose different OUs for different organizations but you won’t have the flexibility as with the last option which is a completely independent ldap service. Further information on configuring ldap for vCloud Director can be found in the vCloud Director Administrator’s Guide on page 123 and the following kb article.

Setting up Kerberos authentication for vCloud Director



The next screen will give you the option to add or create local users in case ldap services are down.


Next up is the choice if the organization admin can publish catalogues or not.


The next screen will allow you to override the default smtp settings to send emails for this organization.


The last screen will let you configure the policies for the organization. This includes the maximum runtime, template and storage leases, the storage clean-up policy, quotas, limits on resource intensive operations and console connections and account lockout policies.



When you click “Finish” on the summary page your Organization will be created and you will be able to use it as a container for Organization VDCs.

The vCloud Director Administrator’s Guide describes the following management tasks for an Organization on the pages 105 – 110 in the English version.

  • Enable or Disable an Organization
  • Delete an Organization
  • Add a Catalog to an Organization
  • Editing Organization Properties
  • Managing Organization Resources
  • Managing Organization Users and Groups

Disabling or Enabling an Organization can be done using the “Manage & Monitor” tab by right clicking the Organization. This will prevent or allow users to login into the Organization. It won’t affect the ability of administrators to allocate resources or make changes to the network. All vApps will also continue to run just fine.

From this menu you can also delete the Organization and edit the properties of the Organization. You will need to change the ownership of all objects within that Organization that the current users own to be able to delete it.


To add a catalogue to an Organization go to the quick start page and choose option 7 “Add a catalog to an Organization”.


Choose an Organization in the Wizard to add the catalogue to.


Name the catalogue.


And finally choose the publishing option if you are allowed to that depending on the Organization options.


You will be able to edit most properties you selected during the creation process by choosing the “Properties” option when right clicking the Organization. If you actually want to change the Organization name though you will need to disable the Organization first.


You also have the option to change the LDAP settings for the Organization, to choose if catalogues can be  published to all Organizations, email notification settings and the policies you choose at creating the Organization.

To manage the resources of an Organization you will need to create, modify or delete Organization VDCs which is described in detail in objective 3.3.

To add and manage users for an Organization you can double click the Organization in the “Manage & Monitor” tab and add either vCloud Director local users or import users and groups from an LDAP source.



You will have some more options to manage those users when you right click them. You will be able to enable and disable accounts, unlock a locked account or delete an account. Depending if the account is a local account or an LDAP account you will also be able to reset the password, change the role, edit the contact info and quotas by choosing the “Properties” option.



Categories: Certification, VCAP Tags:

VCAP-CIA objective 3.3 – Manage Organization VDCs

September 9th, 2013 No comments

The blueprint states the following skills needed to cover this objective.

  • Configure storage tiers
  • Create, manage and delete org VDCs

As I already covered how to add more storage to a Provider VDC we will concentrate on how to change attached storage profiles for a Organization VDC. As every Organization can consist of several Organization VDCs you will be able to assign different storage profiles, which need to be pre-existent in your vSphere environment, to these VDCs so that your Dev&Test VDC is not eating up all your precious space and performance for your production workloads.

The assigning process can be done either directly during the creation process of an Organization VDC which will be described in the second part of this post or at any later stage by opening the Organization VDC and choosing the “Storage Profiles” tab.


In the same menu you can also disable a storage profile, delete it, change the default profile to be used or changing the size limit for the Organization VDC in the properties option.


Fast provisioning and thin provisioning settings can also be changed after creation an Organization VDC using the “Manage & Monitor” tab and right clicking the Organization VDC choosing the “Properties” option.


The second goal of this objective is to create, manage and delete Organization VDCs.  The process is described as well in the following kb article and in the English version of the vCloud Director Administrator’s Guide on pages 32 – 40.

Creating an Organization Virtual Data Center in VMware vCloud Director

As Organization VDCs are created using a specific allocation model with different use cases for each model some more information can be found using the following resources.

Allocation Models for Organizations using vCloud Director

So let’s start by creating one. This can be done by choosing option 6 on the quick start page.


You will then need to choose an organization and a Provider VDC to host the Organization VDC.



The next step is to choose an appropriate allocation model.


You then will be able to configure the resource settings, limits and reservation for CPU, memory and the maximum number of VMs that can be deployed in that Organization VDC. This screen differs a bit between the different allocation models. You will only be able to choose a specific vCPU speed in the PAYG model and you won’t be able to set any reservations in the Reservation Pool model. There will also be a rough estimation on how many VMs this Organization VDC will be able to host scaled in 3 different VM instances; “small”, “medium” and “large”.




Next up will be the storage configuration. Here you can add the storage profiles and thereby the datastores available to the Organization VDC as well as setting the default instantiation storage profile. An upper limit on how much space can be used for each storage profile can be configured as well. You can also choose the options for thin and fast provisioning in this screen.


This leaves the network pools to set. You will be able to choose 1 network pool from which the vApp networks will be created. If you already pre-configured a vShield Edge device in that network pool you will see a list of all the configured services that Edge device offers.


On the next screen you will be able to choose if you want to deploy a new Edge device and also configure it on the spot even though you may choose to do the configuration part later as well. Advanced settings like IP settings, IP Pools and rate limits can also be configured on the spot.


If you choose to deploy an Edge Gateway you will need to select the external networks that gateway can provide access to.


If needed you can create a routed organization network and also share it across the whole organization.


The last step will be to name and enable the organization VDC.


The different options for managing the Organization VDC are described on page 52 – 63 in the English version of the vCloud Administrator’s Guide.

These include the following tasks:

  • Enable or disable an Organization VDC
  • Delete an Organization VDC
  • Add a storage profile to an Organization VDC
  • Modify the Organization VDC name and description
  • Edit the Allocation Model settings
  • Edit storage settings
  • Edit network settings

All these tasks can be done by using the “Manage & Monitor” tab. To enable or disable the VDC just right click on it and choose the according option. You can also delete the VDC this way as long as it is disabled and all vApps, Templates and media was deleted or removed as well.


The process to add a storage profile to the Oganization VDC was described in the beginning of this post.

To change the name and description of the VDC select the “Properties” option when right clicking the VDC and choose the “General” tab.


You will not be able to change the actual allocation model for an Organization VDC but you can change the settings of the current model, e.g. the CPU reservation by selecting the “Allocation” tab.


If you want to enable or disable thin and fast provisioning you will need to select the “Storage” tab.


The “Network Pool & Services” tab will let you change the network pool backing the Organization VDC as well as the actual number of networks provisioned for this VDC.


Categories: Certification, VCAP Tags:

VCAP-CIA objective 3.2 – Manage vCloud Director network resources

September 8th, 2013 No comments

The blueprint states the following skills needed to cover this objective.

  • Create and manage network pools
  • Create Provider external networks
  • Manage and remove network resources

By default vCloud Director 5.1 will try to create a VXLAN backed network pool whenever you create a Provider VDC. If you want to use VXLAN backed pools the cluster should be prepared to actually use VXLAN which is described in detail in objective 2.3.

Duncan Epping gives a great overview about the 3 other network pools that can be created in vCloud Director.

There is also a kb describing the process.

Creating network pools in VMware vCloud Director

Additional information can also be found in the English version of the vCloud Director Administrator’s Guide on pages 23 – 25. Remember that you can assign only 1 network pool to each Organization VDC but share the same pool across different Organization VDCs. If you are opting for the network-isolation backed pool remember to increase the MTU on the distributed virtual switch backing that pool. These pools are used to back up the networking demands of the organizations in vCloud Director.  So let’s walk through the process of creating a new network pool.

Click on option 4 on the quick start page.


The first step in the wizard is to decide which network pool will be created.


The next steps differ for each pool type. While the VLAN backed pool will need information about a VLAN range, the isolation-backed pool will require only 1 VLAN and the number of isolated networks that need to be created. For the port group backed network pool you will need to choose pre-created port groups from the vSphere layer.




The rest of the process is the same for all network pool types which consists of naming the pool and possibly giving it a description and clicking “Finish” on the summary page.


You will be able to manage and modify network pools by clicking on the “Manage and Monitor” tab.


By right-clicking and selecting “Properties” you will be able to expand the pool by adding additional resources like VLANs, port groups or simply networks to it. You can also rename the network pool this way and increase the MTU to the recommended size of 1600 as described in the vCloud Director Administrator’s Guide on page 25.


The steps to create a Provider external network are described in the English version of the vCloud Director Administrator’s Guide on pages 22-23 and the following kb article.

Creating External (Provider) Networks in VMware vCloud Director

All we need to do is click option 3 on the quick start page.


The next step is to pick a vCenter server attached to vCloud Director and a appropriate port group providing access to the external network. This needs to be pre-configured on the vSphere level. According to the Administrator’s Guide this should be an auto-expanding static port group. Don’t worry as the exam is based on vSphere 5.1 this is already in place by default but for those more curious about this feature there is more information in the following 2 links.

Choosing a port binding type


Next up is configuring the actual network settings like standard gateway, subnet mask, DNS servers and the IP pool.


The last step in the creation process is naming the external network.


After clicking “Finish” on the summary page the new external network will be created. You can check the result on the “Manage and Monitor” page within vCloud Director.


The last goal for this objective is to manage and remove network resources. I am assuming that this is also related to network pools like the rest of this objective as vShield Edge devices are covered in more detail in objectives 4.1 and 4.2.

You can get an overview of the Organization networks connected to the network pools by clicking on the Organization VDC in the “Manage & Monitor” tab. The “Org VDC Networks” tab contains the information the different Organization networks and the related network pool status. By right clicking on an Organization network you will reveal the management options depending on the network type. For internal and routed networks you will be able to manage the services the vShield Edge device delivers to that network. You will also be able to reset the network, view the IP allocations and connected vApps and also manage the static IP pool settings and name by choosing “Properties”. You can delete an Organization network in this screen as well when no virtual machines are connected to that network anymore.


To change the allocated network pool for an Organization VDC simply the properties windows of that Organization VDC in the “Manage & Monitor” tab. This step is needed when you want to delete a network pool.


To actually find out which Organization VDCs are using a network pool you can simply click it in the “Manage & Monitor” tab.


By right clicking a network pool in the Network Pools overview you will be able to repair and delete the network pool. You can also change the settings of a network pool like already described in the last goal to change the MTU for a network backed pool for example.


Categories: Certification, VCAP Tags:

VCAP-CIA objective 2.3 – Manage vSphere network resources

August 26th, 2013 No comments

The blueprint states the following skills needed to cover this objective.

  • Create and manage vSphere port groups
  • Configure vSphere network options including MTU and VLAN
  • Prepare vSphere cluster for VXLAN

The goal to manage and create vSphere port groups is done at the vSphere level. There are 2 different scenarios here, as vCloud Director could be combined with an Enterprise License instead of an Enterprise Plus license on the ESXi hosts backing the Provider vDCs we will go through the process of creating and managing port groups on both vSwitches and dvSwitches.

Let’s tackle vSwitches first. To add a part group consistently to a cluster you will need to complete the process on all of the hosts. The first step is to go to the host you want to create the new port group on, go the Configuration or Manage tab depending on the client you are using and click the “Add networking” button.


You will then be asked what kind of port group you want to add, select Virtual Machine port group. Select an existing vSwitch or create a new one. Select the appropriate uplink ports and finally assign a VLAN to the port group and name it.


You will now be able to choose this port group to create a port group backed network pool in vCloud Director.


This port group can now be managed through the Web Client. You will be able to edit the MTU on the vSwitch level of that port group. The VLAN can be changed by editing the port group directly.

Security features (promiscuous mode, MAC address changes, forged transmits), traffic shaping options and failover options can be configured on the switch level and propagated to the port group or be overridden on the port group level.


Creating a port group on a dvSwitch is actually very similar. Just click the “New Distributed Port Group” button, enter a name and configure the settings including VLAN.


To edit the port group or dvSwitch settings click on the appropriate buttons, the same principles as for a vSwitch apply (MTU on the dvSwitch and VLAN on the port group).


Information on why you would want to increase the standard MTU of 1500 can be found in the vCloud Architecture Toolkit (if the exam asks you to configure VXLAN or VCD-NI backed pools be sure to check out the MTU size of the dvSwitch you are creating).

Oddly enough the blueprint does not mention that you will need to create dvSwitches or vSwitches, the process also is rather easy. For a dvSwitch simply right click the datacenter in the Web Client and choose “New Distributed Switch”, a wizard will pop up which will ask for a name and some basic settings (Note that you cannot configure the MTU through that wizard, you will need to edit the dvSwitch settings after you created it).


The process to create a vSwitch has been explained in the top part of this post already. This leaves the task to prepare the vSphere cluster for VXLAN. This process is not described in the administrator’s guide or the installation guide. But there is a white paper and a blog post which describe the process.

VMware VXLAN Deployment Guide

To configure VXLAN the classic vSphere Client is needed as the required plugin for the configuration is not available in the Web Client.


Click the preparation link to start the configuration process.


Next click on “Edit” and choose all applicable clusters.


Choose the dvSwitch that will handle the traffic and assign the appropriate VLAN ID.


Select the correct Failerover Policy in the next wizard screen (depending on your hardware configuration) and configure the MTU to 1600.


After hitting finish the status should look like this.


If no DHCP is providing IP addresses to the Virtual Tunnel Endpoints they need to be configured manually. This can be done by using the Web Client.


Last up is setting up the segment ID and multicast address. The segment ID pool will define how many isolated networks can be created.


There should be no errors anymore after creating a provider VDC in vCloud Director now as the clusters are fully prepared for VXLAN.


Categories: Certification, VCAP Tags:

New VCAP-CIA blueprint released

August 8th, 2013 No comments

It seems there was an update to the VCAP-CIA blueprint. Be sure to download version 2.4 from the following link.

VCAP-CIA Exam Blueprint Version 2.4

Categories: Certification, VCAP Tags:

VCAP-CIA objective 3.1 – Manage Provider VDCs

August 7th, 2013 No comments

The blueprint states the following skills needed to cover this objective.

  • Create and Provider VDCs
  • Merge or Expand Provider VDCs
  • Manage Provider VDC options

Creating a Provider vDC is described on pages 21 and 22 in the English version of the vCloud Director Administrator’s Guide. There is also a video showing the process in the kb noted below.

Creating a Provider Virtual Data Center in VMware vCloud Director

Let’s go through creating a Provider VDC step by step.

On the landing page click option 2 to open the wizard. Enter a descriptive name and choose the maximum supported hardware version which is affected by the build of the hosts in your cluster. Make sure the Provider VDC is enabled.


The next step is selecting the compute resources, namely choosing a vCenter Server and according Resource Pool to supply these CPU, memory and network resources from the vSphere layer to the actual vCloud workloads.


You will then need to add storage resources to the Provider VDC, be careful when choosing the * (Any) profile as this also includes the local datastores of the hosts which can cause problems. You can find more information on this profile in the following kb article.

About the *(Any) Storage Profile


The last step is to provide the root credentials to prepare the hosts for the use for vCloud Director.


After you click okay on the final summary page you can see the creation process in the Manage and Monitor tab.


The next 2 goals are described on the pages 45 – 51 in the English version of the vCloud Administrator’s Guide. Let’s start with merging 2 Provider VDCs. This is a very simple process you can start by going to the Manage and Monitor tab, choosing the Provider VDC option and right clicking the Provider VDC that should be the merge destination.


A wizard will pop up where you can choose which Provider VDC to merge with the selcted one.


To actually expand a Provider VDC you will need to either add compute resources which can be done by adding another Resource Pool, or additional storage which can be done by adding Storage Profiles to the Provider VDC. For both options a wizard is going to pop up and guide you through selecting the additional resources.



The last goal is to manage Provider VDC options. The vCloud Administrator’s Guide lists the following options and procedures that can be edited for a Provider VDC.

  • Enable or Disable a Provider vDC
  • Delete a Provider vDC
  • Modify a Provider vDC Name and Description
  • Merge Provider vDCs
  • Enable or Disable a Provider vDC Host
  • Prepare or Unprepare a Provider vDC Host
  • Upgrade an ESX/ESXi Host Agent for a Provider vDC Host
  • Repair a Provider vDC ESX/ESXi Host
  • Enable vSphere VXLAN on an Upgraded Provider vDC
  • Provider vDC Datastores
  • Add a Storage Profile to a Provider vDC
  • Edit the Metadata for a Storage Profile on a Provider vDC
  • Add a Resource Pool to a Provider vDC
  • Enable or Disable a Provider vDC Resource Pool
  • Detach a Resource Pool From a Provider vDC
  • Migrate Virtual Machines Between Resource Pools on a Provider vDC
  • Configure Low Disk Space Warnings for a Provider vDC Datastore
  • Send an Email Notification to Provider vDC Users

Some of these tasks or procedures are prerequisites to be able to edit other options so I will only show a few examples here. Some have even already been described above.

We will start by modifying the name and description of a Provider VDC. Simply right click a Provider VDC in the Manage and Monitor tab when selecting the Provider VDC option. Click on properties and change the settings to your new requirements.


Note that you can also change the highest supported hardware version in the renaming wizard. You will not be able to assign new storage or compute resources though.


You can disable and delete a Provider VDC by right clicking it in this view, as well as enabling VXLAN. The option to send an email notification to all Provider VDC user can also be found here by clicking the Notify… option.


When you left click on one of the Provider VDCs you get a new screen with tabs on the top. All hosts options can be seen by selecting the Hosts tab and right clicking the host. You will be able to enable or disable hosts, prepare or unprepare hosts, redeploy all VMs off from a host, upgrade the host agent or repair the host.


To edit the meta data of a Storage Profile select the Storage Profiles tab, right click the according profile and select properties. You can also enable and disable Storage Profiles that way.


You will not be able to set storage warnings in the Datastores tab, you need to choose the Datastores option on the left pane to do that as these alarms are valid for all Provider VDCs that have access to these datastores.

You can enable, disable and detach Resource Pools by right clicking them in the Resource Pools tab.


To migrate VMs to another Resource Pool choose the Open option, CTRL click all the VMs in the Resource Pool which need to be moved and choose the Migrate to option. You will have the choice to automatically select a destination Resource Pool or do a manual selection.

Categories: Certification, VCAP Tags:

VCAP-CIA objective 5.1 – Manage vCloud Director SSL Certificates

August 1st, 2013 No comments

The blueprint states the following skills needed to cover this objective.

  • Create and process certificate requests
  • Replace default certificates

SSL certificates are an absolute requirement for vCloud Director to work. You will need 2 different certificates, one for the vCloud Director Web Interface and one for the Console Proxy. There are 2 options for SSL certificates, self-signed and CA signed. The process to create the certificate requests and generate the certificates is described in the vCloud Director Installation and Upgrade Guide on pages 17 – 20 in the English version. There is also the following kb article describing the process in detail.

Generating SSL certificates for VMware vCloud Director

To create untrusted self-signed certificates simply run the following 2 commands on the vCD cell.

keytool -keystore certificates.ks -storetype JCEKS -storepass passwd -genkey –keyalg RSA -alias http
keytool -keystore certificates.ks -storetype JCEKS -storepass passwd -genkey –keyalg RSA -alias consoleproxy

This generates the certificates which are valid for 90 days by default (use the -validity parameter to set a different value).


You can list the contents of the keystore using the following command.

keytool -storetype JCEKS -storepass passwd -keystore certificates.ks -list

You should expect to see both certificates in there.


To actually replace the certificates now you can follow the guidelines in the English version of the vCloud Director Administrator’s Guide on page 16. It is basically a 3 step process.

  1. Stop the vCD cell
  2. Run the configuration script again
  3. Provide the path to the new keystore file and passwords for the keystore and certificates


After a restart of the cell the new certificates should be loaded and accessible.


The process to create CA signed certificates is slightly different. Instead of creating the certificate itself we are going to use the key tool to create requests which have to be handed over to a CA which will provide back the actual certificate files. These will be imported to a keystore again like the self-signed certificates. The procedure to actually replace the certificates for the cell stays the same.

The requests can be creating by using the following 2 commands.

keytool -keystore certificates.ks -storetype JCEKS -storepass passwd –certreq -alias http -file http.csr
keytool -keystore certificates.ks -storetype JCEKS -storepass passwd -certreq –alias consoleproxy -file consoleproxy.csr

You will need an existing certificates.ks keystore with self-signed certificates for the consoleproxy and http interface in it for these commands to work.


Upload these files to your CA and request the certificates. You will need to get back the 2 requested certificates, the root certificate for the CA and any intermediate CA certs if they exist. These need to be imported into the keystore using the following commands.

keytool -storetype JCEKS -storepass passwd-keystore certificates.ks -import -alias root -file root.cer
(optional) keytool -storetype JCEKS -storepass passwd-keystore certificates.ks -import -alias intermediate -file intermediate.cer
keytool -storetype JCEKS -storepass passwd-keystore certificates.ks -import -alias http -file http.cer
keytool -storetype JCEKS -storepass passwd-keystore certificates.ks -import -alias consoleproxy -file consoleproxy.cer

When the complete chain is imported you should list the contents of the keystore to make sure everything is in there.

keytool -storetype JCEKS -storepass passwd -keystore certificates.ks -list


When everything is in place you can run the configure script as described above to actually replace the certificates. You should also import the root certificate into the trusted certificates store of the clients actually using vCloud Director to get rid of the security warnings.


Categories: Certification, SSL, VCAP Tags:

VCAP-CIA objective 2.2 – Manage vSphere storage resources

July 28th, 2013 No comments

The blueprint states the following skills needed to cover this objective.

  • Decommission storage
  • Create and manage storage profiles

The goal to decommission storage can prove to be a tricky one when done wrong, as this might get your host into an APD state. APD handling has been improved alot with ESXi 5.1 which is used in the exam but should you should still try to remove the storage correctly in order to not risk any point loss or even worse a host loss during your exam.

The following kb article shows the correct procedure to use which includes unmounting the datastore and detaching the device. If the storage device actually is an NFS share all that is needed is the unmount.

Unmounting a LUN or detaching a datastore/storage device from multiple ESXi 5.x hosts



This does cover the vSphere side of things. If asked to decommission a datastore from vCloud Director you will need to disable the datastore and remove it from all Provider vDCs. This can be achieved by editing the according storage profile for the datastore to not containing it anymore. If the “* (Any)” profile is used it will be sufficient to remove the datastore on the vSphere level. In the screenshots below we are going to disable the iSCSI16GB datastore, so no new VMs can be deployed to the datastore anymore. Afterwards we are going to remove it from the Provider vDC by editing the storage capabilities of the datastore on the vSphere level so it is not contained in the according iSCSI storage profile anymore.






The creation and management of storage profiles is done at the vSphere level. Once you have created and enabled storage profiles they can be assigned to a Provider vDC and Organization vDCs. This process is described in the vCloud Director Administrator’s Guide on pages 49 and 63 in the English version. Additional information can be found in the following blog posts.

The first step is to enable storage profiles on the clusters or hosts used for vCloud Director.



If your storage is not VASA (vSphere Storage APIs – Storage Awareness) capable you will need to create user defined capabilities first.



The third step is assigning these capabilities to your datastores.


The final step is actually creating the storage profiles.



Your datastores are now mapped to the profiles by the assigned capabilties which covers the vSphere side of things. You are now ready to use these storage profiles in vCloud Director. You will be able to choose them during the creation of a Provider vDC. If you want to edit an already existing Provider vDC to use some newly created storage profiles you can do so in the Manage and Monitor tab.


Categories: Certification, VCAP Tags: