I am interested in support for the html5 console for vmware in place of the
vnc console. I have a proof of concept of sorts by overwriting the
vm_console call in compute_resources_vms_helper.rb. The jist of it is a
url that looks like this:
html5_link =
"https://#{vcenter_url}:9443/vsphere-client/webconsole.html?vmId=#{vm.mo_ref}&vmName=#{vm.name}&serverGuid=#{server_guid}&locale=en_US&host=#{vcenter_url}:443&sessionTicket=cst-VCT&thumbprint=#{cert_sha1_thumbprint}"
The vm variables are all natively supported. I am not sure if the server
guid and server certificate sha1 thumbprint are collected.
This should be supported in vcenter 6+, possibly 5.5+. I would be happy to
work on a better implementation then my hack, if there is interest and I
could get some guidance on what might be the best way to implement this.
Thanks,
Mike E.
> I am interested in support for the html5 console for vmware in place of
> the vnc console. I have a proof of concept of sorts by overwriting the
> vm_console call in compute_resources_vms_helper.rb. The jist of it is a
> url that looks like this:
>
> html5_link = "https://#{vcenter_url}:9443/vsphere-client/webconsole.
> html?vmId=#{vm.mo_ref}&vmName=#{vm.name}&serverGuid=#{
> server_guid}&locale=en_US&host=#{vcenter_url}:443&sessionTicket=cst-VCT&
> thumbprint=#{cert_sha1_thumbprint}"
>
> The vm variables are all natively supported. I am not sure if the server
> guid and server certificate sha1 thumbprint are collected.
>
> This should be supported in vcenter 6+, possibly 5.5+. I would be happy
> to work on a better implementation then my hack, if there is interest and I
> could get some guidance on what might be the best way to implement this.
>
Awesome! I assume this might create connection issues? e.g. clients need to
be connected directly into vmware and possibly certificate errors?
Looking forward to a pull request?
thanks,
Ohad
···
On Sat, May 6, 2017 at 1:09 AM, Michael Eklund wrote:
Thanks,
Mike E.
–
You received this message because you are subscribed to the Google Groups
"foreman-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to foreman-dev+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
No cert issues, but we have valid certificates for out vcenter server, and
I am opening a whole new window not a foreman window with an embedded page.
Here is the code snippet I am using. I don't think that I have access to
the VCenter Server GUID, or it's certificate SHA1 thumbprint. Since I am
feeding the url and invalid session ticket, it just sees it as an expired
connection and prompts for password unless you happen to have an open
session to vcenter in your browser, then it sails right on through.
{
diff compute_resources_vms_helper.rb.bak compute_resources_vms_helper.rb
16,17c16,26
< link_to_if_authorized(_("Console"),
hash_for_console_host_path().merge(:auth_object => host, :permission =>
'console_hosts'),
< { :class => "btn btn-info" })
···
---
> vcenter_url ='vcenter.example.com' #this is an example url
> server_guid = '409ff155-d714-4853-bda5-c076d47572ad' #this is a
generated GUID
> cert_sha1_thumbprint =
'AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA' # this is a
fake thumbprint
> html5_link =
"https://#{vcenter_url}:9443/vsphere-client/webconsole.html?vmId=#{vm.mo_ref}&vmName=#{vm.name}&serverGuid=#{server_guid}&locale=en_US&host=#{vcenter_url}:443&sessionTicket=cst-VCT&thumbprint=#{cert_sha1_thumbprint}"
> link_to(_("Console"), html5_link, { :class => "btn btn-info"})
}
On Monday, May 8, 2017 at 3:09:58 AM UTC-5, ohadlevy wrote:
On Sat, May 6, 2017 at 1:09 AM, Michael Eklund <mike....@gmail.com > <javascript:>> wrote:
I am interested in support for the html5 console for vmware in place of
the vnc console. I have a proof of concept of sorts by overwriting the
vm_console call in compute_resources_vms_helper.rb. The jist of it is a
url that looks like this:
html5_link =
“https://#{vcenter_url}:9443/vsphere-client/webconsole.html?vmId=#{vm.mo_ref}&vmName=#{
vm.name
}&serverGuid=#{server_guid}&locale=en_US&host=#{vcenter_url}:443&sessionTicket=cst-VCT&thumbprint=#{cert_sha1_thumbprint}”
The vm variables are all natively supported. I am not sure if the server
guid and server certificate sha1 thumbprint are collected.
This should be supported in vcenter 6+, possibly 5.5+. I would be happy
to work on a better implementation then my hack, if there is interest and I
could get some guidance on what might be the best way to implement this.
Awesome! I assume this might create connection issues? e.g. clients need
to be connected directly into vmware and possibly certificate errors?
Looking forward to a pull request?
thanks,
Ohad
Thanks,
Mike E.
–
You received this message because you are subscribed to the Google Groups
"foreman-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to foreman-dev...@googlegroups.com <javascript:>.
For more options, visit https://groups.google.com/d/optout.
Sorry about the format fail. 
Mike,
This sound very interesting. If I got that right, you can even gerate a
pre-authenticated console url that is valid only once. [1]
Foreman could use the compute resource's permission to generate such a
link and then redirect the user to that url without leaking the compute
resource's credentials.
If you're fine with this and time allows, I'll try to create a PR for
this. Would you be able to test this?
Timo
I would be happy to help with testing. IMO this is a killer feature.
···
On Monday, May 8, 2017 at 10:48:36 AM UTC-5, Timo Goebel wrote:
>
> Mike,
>
> This sound very interesting. If I got that right, you can even gerate a
> pre-authenticated console url that is valid only once. [1]
>
> Foreman could use the compute resource's permission to generate such a
> link and then redirect the user to that url without leaking the compute
> resource's credentials.
>
> If you're fine with this and time allows, I'll try to create a PR for
> this. Would you be able to test this?
>
> Timo
>
>
Probably should keep in mind that you may not want all foreman users
connecting to your VCenter with the permissions that foreman uses though.
Not really a problem in our environment but may be with others.
I am not that worried about having to enter my vcenter credentials if
needed.
Mike E
···
On Monday, May 8, 2017 at 10:48:36 AM UTC-5, Timo Goebel wrote:
>
> Mike,
>
> This sound very interesting. If I got that right, you can even gerate a
> pre-authenticated console url that is valid only once. [1]
>
> Foreman could use the compute resource's permission to generate such a
> link and then redirect the user to that url without leaking the compute
> resource's credentials.
>
> If you're fine with this and time allows, I'll try to create a PR for
> this. Would you be able to test this?
>
> Timo
>
>
looks like the link is simplified further if you are using the remote
client as well:
vmrc://vcenter.example.com/?moid=vm-221
You only need the vm.mo_ref. Though you will be prompted for vcenter
username/password.
they support linux, mac, and windows and it can be downloaded here:
https://my.vmware.com/en/web/vmware/details?downloadGroup=VMRC90&productId=491
···
On Monday, May 8, 2017 at 10:48:36 AM UTC-5, Timo Goebel wrote:
>
> Mike,
>
> This sound very interesting. If I got that right, you can even gerate a
> pre-authenticated console url that is valid only once. [1]
>
> Foreman could use the compute resource's permission to generate such a
> link and then redirect the user to that url without leaking the compute
> resource's credentials.
>
> If you're fine with this and time allows, I'll try to create a PR for
> this. Would you be able to test this?
>
> Timo
>
>
If you have not found it here is an article about generating a auth'd
ticket with example perl script.
···
On Monday, May 8, 2017 at 10:48:36 AM UTC-5, Timo Goebel wrote:
>
> Mike,
>
> This sound very interesting. If I got that right, you can even gerate a
> pre-authenticated console url that is valid only once. [1]
>
> Foreman could use the compute resource's permission to generate such a
> link and then redirect the user to that url without leaking the compute
> resource's credentials.
>
> If you're fine with this and time allows, I'll try to create a PR for
> this. Would you be able to test this?
>
> Timo
>
>
I created some code to test this. [1] Unfortunately pre-authentication does
not work with vsphere > 6 as it always requires SSO.
Great idea, but it does not work.
Timo
[1] https://gist.github.com/timogoebel/c8a915dc4fae9b79c8733cc7a2796038
···
Am Montag, 8. Mai 2017 18:27:58 UTC+2 schrieb Michael Eklund:
>
> I would be happy to help with testing. IMO this is a killer feature.
>
For us, being prompted for a password is not a dealbreaker. I have a pet
project to investigate using vcenter SSO for 3rd party logins down the
line, so that might be something that can benefit foreman as well.
Mike E.
···
On Tuesday, May 9, 2017 at 4:56:09 AM UTC-5, Timo Goebel wrote:
>
>
> Am Montag, 8. Mai 2017 18:27:58 UTC+2 schrieb Michael Eklund:
>>
>> I would be happy to help with testing. IMO this is a killer feature.
>>
>
> I created some code to test this. [1] Unfortunately pre-authentication
> does not work with vsphere > 6 as it always requires SSO.
>
> Great idea, but it does not work.
>
> Timo
>
> [1] https://gist.github.com/timogoebel/c8a915dc4fae9b79c8733cc7a2796038
>
