(Optional) Select Generate New Security ID (SID) and click Next. A Windows Security ID (SID) is used in some Windows operating systems to uniquely identify systems and users. If you do not select this option, the new virtual machine has the same SID as the virtual machine or template from which it was cloned or deployed. Dec 09, 2014  Replace vCenter Self-Signed Certificates. The following steps pretty much come directly from VMware KB 2094742. Generate a New Self Signed Certificate for vCenter (If you already have a new Certificate go to Step 2 – Replace and Re-register the Certificates). ProgramDataVMwareVMware VirtualCenterssl sso.key. We use cookies for advertising, social media and analytics purposes. Read about how we use cookies and how you can control them here.If you continue to use this site, you consent to. Feb 17, 2011 Tech support scams are an industry-wide issue where scammers trick you into paying for unnecessary technical support services. You can help protect yourself from scammers by verifying that the contact is a Microsoft Agent or Microsoft Employee and that the phone number is an official Microsoft global customer service number. May 23, 2018  Contribute to vmware/PowerCLI-Example-Scripts development by creating an account on GitHub. Obtain a vSphere license key and assign the key to the ESXi host. Verify that the edition of the license key matches the configured features and resources on the host. If they do not match, you cannot assign the license key. The license of the host is expired.

When automating software and infrastructure, it is not uncommon to need to supply a user id and password for installation or other operations. While it is certainly possible to pass these plaintext credentials directly in the state, this is not best practice.

There are several issues with this approach.

States are accessible to all minions, so using the example state file above, not only does your mysql host have access to the password, but all your salt managed hosts. Additionally, in the world of infrastructure-as-code, we have to assume that it is checked into source control, and the plaintext password is now accessible to anyone with repository access. As a last point, even if all this was acceptable, a pillar is a more appropriate place to store this information because it provides flexibility to do things like have a different password for frank in dev/test/prod environments.

Luckily we can address all these issues by using the SaltStack GPG renderer. It provides secure encryption/decryption of pillar data, limited to only those minions that absolutely require it.

Generate key pair on Salt Master

Generating a key pair takes a certain amount of entropy, or randomness. Especially on a virtualized machine, you can find that not enough operations have been executed to generate GPG keys. Installing the ‘rng-tools’ package can address this issue [1,2]. For Ubuntu, run the following:

Then generate the key pair:

The gpg utility will ask several questions, you can customize or accept the default values for RSA key size of 2048 with no expiration. Then when it asks for real name, this is the identifier for your key and it is common to use the hostname. You can leave email address and comment blank by just pressing <ENTER>. Then when it asks for a passphrase, just press <ENTER> again twice. If you specify a passphrase, it won’t work with Salt because Salt works in non-interactive mode.

At this point you will have the following files in your /etc/salt/gpgkeys directory: pubring.gpg, pubring.gpg~, random_seed, secring.gpg, and trustdb.gpg.

The list of keys stored in the general GPG keyring as well as our new directory can be see with the commands below.

When you list the keys in /etc/salt/gpgkeys, you should see that one of them has the identifier you typed as the ‘Real name’ when generating the key pair. This is the identifier used in future operations.

Key Distribution

At this stage, it is a good idea to export your private key for safe keeping and export your public key for general distribution.

You will want to put this secret key into the best secure, encrypted-at-rest solution you have (whether this is a USB stick in a vault or Thycotic). And then export the public key, which you can check into source control or distribute in any way you choose.

Now import the public key we just generated into the general public key keyring:

The resulting output will tell you that one key was imported, and then it will show you the identifier used, which corresponds to the ‘Real name’ used when generating the key pair.

Encrypt a Secret

To encrypt a secret, run gpg, being sure to pass the identifier (i.e. Real name) as a parameter so it knows which key to use. My identifier is ‘saltserver’, obviously you need to replace this with yours.

Error Generating Key Null Salt Vmware Download

The resulting output will be a Base64 encoded message that can be put into a pillar sls file. If instead of a string, you have a file such as a private ssh key that needs encoding the command would look like this:

Encoded Secret in Pillar

When creating the pillar .sls file, you need to do a couple of things. First, specify the rendering order in the first shebang line so that gpg is done last. And then when you specify a multiline string using the pipe, make sure you add the proper number of spaces so that yaml indentation is honored (the line below are truncated because long lines messed up the blog formatting).

Now, if you assign this pillar to a minion (e.g. ‘myminion’), you should be able to see the unencrypted value if you list the pillar values:

Or directly from the salt minion, you can see the unencrypted value.

4d number prediction software free. Note that only the minions that are assigned this pillar would have access to the secret.

Using the secret in a state file

To use this encrypted value in a state, you need to pull it from the pillar, as shown below.

Error Generating Key Null Salt Vmware 10

As stated earlier, all minions have access to state files, but now the secret is no longer divulged in the .sls, and unless a minion is assigned the pillar, the value will be empty.

REFERENCES

If you get error messages in your Salt execution that GPG cannot be found, make sure you install the python-gnupg package.

NOTES

GPG for encryption/decryption without SaltStack Windows 7 key generator no download.