Baseline groups with powercli


Ok, i have no idea how EXACTLY that works, nobody could explain this to me, including my vmware TAM. But this it what i came up with. It’s only useful i suppose when you are dealing with a lot of update managers/baselines groups.

$JSESSION is something that comes up in your cookie after you have logged in to your webclient. You can install an addon into your chrome/firefox/etc… that shows you your cookies . I could not figure out how to obtain JSESSION variable automatically.  I used HTML5 webclient + fiddler in order to check how the calls were made and tried to reproduce them. Everything works as expected .

code:

 


function get-VUMnodeid($VC,$JSESSION){
$AllProtocols = [System.Net.SecurityProtocolType]'Ssl3,Tls,Tls11,Tls12'
[System.Net.ServicePointManager]::SecurityProtocol = $AllProtocols
add-type @"
using System.Net;
using System.Security.Cryptography.X509Certificates;
public class TrustAllCertsPolicy : ICertificatePolicy {
public bool CheckValidationResult(
ServicePoint srvPoint, X509Certificate certificate,
WebRequest request, int certificateProblem) {
return true;
}
}
"@
[System.Net.ServicePointManager]::CertificatePolicy = New-Object TrustAllCertsPolicy
$JSESSION= $JSESSION -replace ";"
$uri = 'https://'+$VC+'/ui/vum-ui/rest/vcenters'
$cookie = New-Object System.Net.Cookie
$cookie.Name='JSESSIONID'
$cookie.Value=$JSESSION
$cookie.Domain = 'cookie.domain.something.com'
$session = New-object Microsoft.PowerShell.Commands.WebRequestSession
$session.Cookies.Add($Cookie)
#Invoke-WebRequest -uri $uri -WebSession:$session
$request = ((Invoke-WebRequest -uri $uri -WebSession:$session).Content |convertfrom-Json).GetEnumerator() | ?{$_.name -eq $VC}
return $request.nodeid
}
function get-baselinegroup($VC,$JSESSION){
$AllProtocols = [System.Net.SecurityProtocolType]'Ssl3,Tls,Tls11,Tls12'
[System.Net.ServicePointManager]::SecurityProtocol = $AllProtocols
add-type @"
using System.Net;
using System.Security.Cryptography.X509Certificates;
public class TrustAllCertsPolicy : ICertificatePolicy {
public bool CheckValidationResult(
ServicePoint srvPoint, X509Certificate certificate,
WebRequest request, int certificateProblem) {
return true;
}
}
"@
[System.Net.ServicePointManager]::CertificatePolicy = New-Object TrustAllCertsPolicy
$JSESSION= $JSESSION -replace ";"
$vumid = get-VUMnodeid -vc $VC
$uri = 'https://'+$VC+'/ui/vum-ui/rest/nodes/'+$vumid+'/baselineGroups/'
$session = New-object Microsoft.PowerShell.Commands.WebRequestSession
#$cookiestr = 'Cookie: JSESSIONID=C164315B4958845216338B7C3F568090;'
#$cookiestr = 'Cookie: JSESSIONID=AE57E580958B38E21D2B892840BC8A6D; JSESSIONID=60F391E14417C6D581A34BBF01E03DF0; VSPHERE-UI-XSRF-TOKEN=7fff48d9-54fc-4244-98ba-4a7513858476; VSPHERE-USERNAME=gregk%40management.is; VSPHERE-CLIENT-SESSION-INDEX=_ea276e26b355abc989243d26ecbd4958; _pk_id.1.da8d=65733ab98c5fe089.1548769895.4.1549275686.1549271755..a6c285c80359fd81a3dbc83835bbca941eae248ec84b999da3d8fe12190ebb39'
#$cookiestrarray = $cookiestr.split()|?{$_ -match 'JSESSION'} |% {$_ -replace ";"}|%{$_.split('=')[1]}
$cookie = New-Object System.Net.Cookie
$cookie.Name='JSESSIONID'
$cookie.Value=$JSESSION
$cookie.Domain = $VC
$session.Cookies.Add($Cookie)

$session.headers.Add('Accept-Language',' en-US,en')
$session.headers.Add('Accept-Encoding','application/json')
#Invoke-WebRequest -uri $uri -WebSession:$session
write-host $uri
$request = ((Invoke-WebRequest -uri $uri -WebSession:$session).Content |convertfrom-Json).GetEnumerator()
return $request
}

 
function Get-BaselinegroupBaselines($VC,$BGid,$JSESSION){
$AllProtocols = [System.Net.SecurityProtocolType]'Ssl3,Tls,Tls11,Tls12'
[System.Net.ServicePointManager]::SecurityProtocol = $AllProtocols
add-type @"
using System.Net;
using System.Security.Cryptography.X509Certificates;
public class TrustAllCertsPolicy : ICertificatePolicy {
public bool CheckValidationResult(
ServicePoint srvPoint, X509Certificate certificate,
WebRequest request, int certificateProblem) {
return true;
}
}
"@
[System.Net.ServicePointManager]::CertificatePolicy = New-Object TrustAllCertsPolicy
#cookiestr the JSESSIONID has to be the right one
$vumid = get-VUMnodeid -vc $VC
$uri = 'https://'+$VC+'/ui/vum-ui/rest/nodes/'+$vumid+'/baselineGroups/'+$BGid
$session = New-object Microsoft.PowerShell.Commands.WebRequestSession
#$cookiestr = 'JSESSIONID=C164315B4958845216338B7C3F568090;'

$JSESSION= $JSESSION -replace ";"
$cookie = New-Object System.Net.Cookie
$cookie.Name='JSESSIONID'
$cookie.Value=$JSESSION
$cookie.Domain = $VC
$session.Cookies.Add($Cookie)

$session.headers.Add('Accept-Language',' en-US,en')
$session.headers.Add('Accept-Encoding','application/json')

$parentBG = (Get-Baselinegroup -jsession $JSESSION -vc $vc|?{$_.id -eq $bgId}).Name
$request = ((Invoke-WebRequest -uri $uri -WebSession:$session).Content |convertfrom-Json).Updates | select -unique -property baselineName| select *, @{n='parentBG';e={$parentBG}}
return $request
}

$VC should be your virtualcenter at which VUM is registered, your VC can be in linked mode as well. When you will open fiddler you will see that you can translate even creating baselinegroups , add something to baseline groups etc etc.. All we have to have is that JSESSION cookie with us. Heh.. before that i automated even Internet Explorer to get this cookie automatically but i failed at it ,as i could not get THAT PARTICULAR JSESSION cookie, i saw other cookies but not jsession so i gave up, and if i have to do now work at a lot of baselinegroups i just catch that JSESSION from cookie in browser addon.

4 thoughts on “Baseline groups with powercli

  1. This looks great and will actually fill a huge hole in what I’m trying to do. Unfortunately I need to manage ~20+ VUM patches, baselines, and baseline groups across multiple regions. I wrote a powershell script that will sync all of the baselines (patches must be uploaded manually to each vCenter) but that doesn’t fix my baseline groups issue.

    Did you ever write additional functions for this? The “easy” way would be to create a new baseline group on the “source” vCenter and create net-new BGs on each vCenter but then all of the groups would need to be re-attached. I’m hoping that you wrote an “edit” (add and remove) function so I can simply edit the existing BGs.

    Let me know if you have it, if not I’ll try and play around with it if I get a chance and post back here if I get anywhere. Thanks!

    • Hi there, yes i had the same ‘project’ to do as well, i have written a script that makes 1 VC as master server for baseline groups and the rest are following it in sense of baseliengroups/baselines/patches. In my case it was a sync , so basically if the destination BG does not match it means somebody put his fingers in bad place, hence -> delete/sync make new BG as per source VC. Unfortunately, i don’t have the source code. I would have to write it again. In order to write it from scratch that would take me around 8-16 hours ,i can tell you right now that i don’t have that much of free time. It’s not that hard, for the add/remove/new methods you just need to inspect fiddler for this and this will be shown.

    • Ok, so not to leave you without anything 😉 i spent few minutes to get you the calls:
      New empty BG:
      {
      “name”: “EmptyBG”,
      “description”: “DescForEmptyBG”,
      “upgradeBaselineId”: null,
      “patchBaselineIds”: [],
      “extensionBaselineIds”: [],
      “contentVersions”: []
      }
      on /ui/vuim-ui/rest/nodes/nodeIDhere/baselinesGroups?create=

      The update with adding 1 baseline :
      {
      “name”: “EmptyBG”,
      “description”: “DescForEmptyBG”,
      “upgradeBaselineId”: null,
      “patchBaselineIds”: [],
      “extensionBaselineIds”: [],
      “contentVersions”: []
      }
      on on /ui/vuim-ui/rest/nodes/nodeIDhere/baselinesGroups/3?update=

      removing baselines from the BG is similar to adding as you are passing the entire array of patches ids.

      {
      “name”: “EmptyBG”,
      “description”: “DescForEmptyBG”,
      “upgradeBaselineId”: null,
      “patchBaselineIds”: [],
      “extensionBaselineIds”: [],
      “contentVersions”: []
      }
      on on /ui/vuim-ui/rest/nodes/nodeIDhere/baselinesGroups/3?update=
      So as you see, Add/Remove stuff from BG is still the same , and i would call it ‘edit’ in general, as it requires just a list of patchIDs that’s it. So its for you to make the list.

  2. Thank you so much for this info, I’m working to do some automation and management around VUM & multiple vC’s as well, im trying to automate the jsessionID part – what a pain in the ass! Did you ever make any headway in getting this cookie after generation? I tried multiple ways (IE automation trials, rest calls, etc) similar to what you had mentioned hoping for a “lighting in a bottle” scenario, but no dice. I can get the cookie generated to /ui/vum-ui, but it’s never authorized because the initial call fails to generate the actual security token (i’m guessing here) – I thought that maybe you’d have to pass the full VSPHERE-UI-XSRF-TOKEN, VSPHERE-CLIENT-SESSION-INDEX, _pk_ses… in as a header or ‘cookie’ to try and authorize the /ui/vum-ui jsessionID to function, but I can’t figure out how to get them as they are generated at PSC/SSO login, and I simply don’t know the structure well enough, even with fiddler running, to capture or recreate that call and grab that data via invoke-webrequest or invoke-restmethod.

    Anyone have any other ideas? Everything else works beautifully! I just can’t fully automate the damn thing!

    In insight would be much appreciated! Thanks again!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s