ESXi CIM Permissions

hw_status_logo

Using HP’s IRS (Insight Remote Support) to monitor  your ESXi nodes hardware ?

Setting this up was not as straight forward as you think it should be. Turns out that the permissions required as outlined on VMware’s site here is not enough to get HP’s IRS to work.

Use this script to configure the correct accounts and permissions.

<#.SYNOPSIS
Usage :
.\isr_usr_role.ps1 -filename *.csv
.DESCRIPTION
This script must be used to grant HP IRS access to individual ESXi nodes.

.NOTES
File Name : irs_usr_role.ps1
Author : Xana Cloete - xana.cloete@gmail.com
Requires : Powershell v3, Vmware vSphere PowerCli 5.5 or later
Version : 1.0
.LINK
#>

Param ([string]$filename)

################################
# Global environment variables #
################################
$esxi_user = "root"
$esxi_pass = "yourpass"
$command = ".\Script\ESXi\cmd.txt"
$putty_exe = ".\Script\ESXi\plink.exe"
$esxi_hosts = Import-Csv $filename

foreach ($esxi_host in $esxi_hosts){
try {
Connect-VIServer $esxi_host.name -User $esxi_user -Password $esxi_pass -ErrorAction:Stop
}
catch {
"Unbale to connect to the ESXi node. Please check node connectivity"
}
# start the SSH Services
Get-VMHost -Name $esxi_host.name | Get-VMHostService | Where-Object {$_.Key -eq "TSM-SSH"} | Start-VMHostService

#Create the hpris user account on the ESxi node.
New-VMHostAccount -Id $irs_user -Password $irs_pass -GrantShellAccess:$false

#Create a new role with CIM privileges
New-VIRole $vi_role -Privilege "CIM","System Management"

#Assign the hpris user account the role we just created.
Get-VMHost | New-VIPermission -Principal $irs_user -Role $vi_role -Propagate:$true

#SSH to the host and apply some security restrcition to the new user.

$ssh_host = $esxi_host.name
echo y | .\plink.exe -ssh root@$ssh_host -P 22 -pw $esxi_pass -m $command

#Stop the SSH services
Get-VMHost -Name $esxi_host.name | Get-VMHostService | Where-Object {$_.Key -eq "TSM-SSH"} | Stop-VMHostService -Confirm:$false

#Disconnect from the ESXi node.
Disconnect-VIServer -Confirm:$false
}

Before executing the script you will need these files in the root of the script

  • Source input file containing the host DNS or IP info. You can get a sample here (sample)
  • plink.exe is required to execute some commands on the ESXi node. You can get that here.
  • You need a text file that contains all the commands that are executed remotely on the ESXi node. You can get a sample here (cmd.txt)

 

 

Share on Facebook0Tweet about this on TwitterShare on LinkedIn9Share on Google+0

Leave a Reply

Your email address will not be published. Required fields are marked *