In order to prevent the opportunity of a Man In The Middle (MiTM) attack VMware have introduced a security feature which validates the SSH RSA fingerprint and SSL thumbprint of both vCenter Server and VxRail Manager along with the SSH fingerprints of the ESXi hosts during initial deployments.

This feature can be enabled/disabled from within the VCF On VxRail Deployment Parameter Workbook:

How To Gather The Prints

The instructions below will showcase how to collect the prints and how to enter them in the VCF On VxRail Deployment Parameter Workbook. As a result; Cloud Builder can later verify these keys when deploying VCF. Begin by launching an SSH connection to the Cloud Builder appliance using the ‘Admin’ credentials:

Working through the parameter workbook list I firstly gather the VxRail Manager prints (FQDN in this example is vcfmgmtvxrmgr.cse.lab ):

  • ssh-keygen -lf <(ssh-keyscan vcfmgmtvxrmgr.cse.lab 2>/dev/null)
  • openssl s_client -connect vcfmgmtvxrmgr.cse.lab:443 < /dev/null 2> /dev/null | openssl x509 -sha256 -fingerprint -noout -in /dev/stdin

vCenter prints (FQDN in this example is vcfmgmtvc.cse.lab):

  • ssh-keygen -lf <(ssh-keyscan vcfmgmtvc.cse.lab 2>/dev/null)
  • openssl s_client -connect vcfmgmtvc.cse.lab:443 < /dev/null 2> /dev/null | openssl x509 -sha256 -fingerprint -noout -in /dev/stdin

ESXi Hosts SSH Fingerprints :

NOTE: Ensure the SSH Service has been started on each ESXi host else you will receive the following error: /dev/fd/63 is not a public key file

  • ssh-keygen -lf <(ssh-keyscan vcfesxi01.cse.lab 2>/dev/null)
  • ssh-keygen -lf <(ssh-keyscan vcfesxi02.cse.lab 2>/dev/null)
  • ssh-keygen -lf <(ssh-keyscan vcfesxi03.cse.lab 2>/dev/null)
  • ssh-keygen -lf <(ssh-keyscan vcfesxi04.cse.lab 2>/dev/null)

Populating the VCF On VxRail Deployment Parameter Workbook with the respective prints:

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s