Configuring WinRM on Hyper-V and Azure Stack HCI hosts

Edit online

Configure Windows Remote Management to allow the License Metric Tool server to gather data about virtualization topology of virtual machines installed in your infrastructure.

Before you begin

  • To retrieve the data that is required to properly calculate PVU, you must have access to the local administrator account on the Hyper-V or Azure Stack HCI host. It is necessary because the Windows Management Instrumentation call that accesses MsCluster namespace requires an administrative account.
  • WinRM is accessed in the read-only mode. License Metric Tool does not modify the Hyper-V or Azure Stack HCI settings and does not affect them in any other way. The obtained data is stored in the License Metric Tool database.

About this task

The WinRM service is an implementation of WS-Management specification that enables cooperation between hardware and operating systems that come from different vendors. The License Metric Tool server connects to WinRM that is defined as a VM manager by means of the VM Manager Tool and collects data about virtualization hierarchy. Perform the following procedure on each Hyper-V or Azure Stack HCI host in your infrastructure, including the hosts that are part of a cluster, to ensure that the WinRM service is running and configured and to enable communication with the License Metric Tool server.

Procedure

  1. Defining HTTP and HTTPS listeners. Communication with the WinRM service might be enabled or disabled by default depending on the versions of Windows. To check whether any listeners are currently defined, type the following command: winrm enumerate winrm/config/listener. If no output is returned, no listeners are defined.
    1. To define the default HTTP listener, type the following command: winrm quickconfig.
      The command performs the following actions:
      • Starts the WinRM service and sets it to start automatically with the system start.
      • Creates an HTTP listener on the default port (accepting requests from any IP).
      • Defines Internet Connection Firewall exceptions for the service.
      • Opens the HTTP port. Depending on the version of the WinRM service, the default HTTP port might be 80 or 5985.
      For more information, see: Installation and Configuration for Windows Remote Management.
    2. To define a listener for secure connection (HTTPS), you must have a valid certificate on the Hyper-V or Azure Stack HCI host with a CN that matches the host name that you are using to connect to Hyper-V or Azure Stack HCI. You must also create a listener with the CertificateThumbprint of that certificate. For more information, see the Microsoft documentation: http://support.microsoft.com/kb/2019527.. You might be able to create a self-signed certificate for testing purposes, however, you should consult your certificate administrator.
      Note: If an appropriate certificate is not found on the machine, the above command does not work and the following output is returned The certificate must have a CN matching the host name, be appropriate for Server Authentication, and not be expired, revoked, or self-signed. If you need to configure the WinRM Listener to use a self-signed certificate, run the following command.
      winrm create winrm/config/listener?Address=*+Transport=HTTPS
@{Hostname=”<the name of your server>”;CertificateThumbprint=”<certificate thumbprint>”}
      In this case, you must configure the firewall settings manually.
  2. Enabling WinRM Negotiate authentication scheme. The WinRM service offers several authentication schemes to be used to authenticate the client side. The VM Manager Tool uses the Negotiate authentication scheme, which is enabled by default.
    1. To check the current setting of this property, run the following command. 
      winrm get winrm/config/service/auth
    2. To set the required value of this property, run the following command. 
      winrm set winrm/config/service/auth @{Negotiate="true"}
  3. Setting WinRM AllowUnencrypted and AllowRemoteAccess properties. The server requires these properties to be set to true.
    1. To check the current settings, run the following command. 
      winrm get winrm/config/service
    2. To set the required values of these properties, run the following command. 
      winrm set winrm/config/service @{AllowUnencrypted="true"}
winrm set winrm/config/service @{AllowRemoteAccess="true"}
      Note: Setting this value to true does not mean that the sensitive data, such as user names or passwords, will be passed in an unencrypted form over the network. Only the content of the SOAP messages will be sent as a plain text. If this cannot be accepted because of security reasons, define the HTTPS listener and use the secured transport (HTTPS) while defining a VM manager in the License Metric Tool server so that the TLS protocol is used to encrypt all the network traffic.
  4. Verifying the listener. After you define the HTTP or HTTPS listener, verify that you can remotely connect to the Hyper-V or Azure Stack HCI server.
    1. On the Hyper-V or Azure Stack HCI server, determine the port on which the Windows Remote Management client for the HTTP or HTTPS transport listens. Type the following command in the Windows command line. 
      winrm enumerate winrm/config/listener
      • If the port number is listed in the Port line, the listener was properly created.
      • If you receive an error or there is no information for the transport, the listener was not created properly. Go back to step 1, and define the listener again.
    2. To verify the listener, run the following command. 
      winrm enumerate winrm/config/listener /r:<transport>://
<server_name>:<port>/wsman /u:<user_id> /p:<password> /a:Negotiate
      Where:
      <transport>
      Is either HTTP or HTTPS.
      <server_name>
      Is the host name of the Hyper-V or Azure Stack HCI server. If you are using HTTPS, the host name must match the CN in the certificate.
      <port>
      Is the port number that you obtained in the previous step.
      <user_id>
      Is the user ID that is used to connect to the Hyper-V or Azure Stack HCI server.
      <password>
      Is the password that is used to connect to the Hyper-V or Azure Stack HCI server.
      For example: 
      winrm enumerate winrm/config/listener /r:https://
myhyperv.ibm.com:5986/wsman /u:administrator /p:abc /a:Negotiate
  5. Verifying whether the Virtual Machine Management Service (VMMS) is running. To verify that the service that provides Hyper-V or Azure Stack HCI management is running, go to Administrator Tools > Services on the Hyper-V or Azure Stack HCI server. Look for the service called Hyper-V Virtual Machine Management or Azure Stack HCI Virtual Machine Management.
    • If the service exists, but is not running, start the service.
    • If the service does not exist, the Hyper-V or Azure Stack HCI host was not configured properly.
  6. Verifying the MsCluster resource. If the server is clustered, verify that you can access the MsCluster namespace. On the Hyper-V or Azure Stack HCI server, type the following command into the Windows command line. 
    winrm enumerate wmi/root/MsCluster/* 
-dialect:"http://schemas.microsoft.com/wbem/wsman/1/WQL"
-filter:"SELECT PrivateProperties, Type FROM MsCluster_Resource 
WHERE Type='Network Name' AND Flags='1'"

    If this command fails, refer to Microsoft documentation about WMI for MsCluster.

  7. Verifying remote connectivity and the server certificate. To verify remote connectivity and the server certificate, type the following command into the Windows command line.
    Restriction: Enter the following command on the Windows command line of the computer on which the VM Manager Tool is installed. If the VM Manager Tool is not installed on a computer that runs on a Windows operating system, use a computer that is not the Hyper-V or Azure Stack HCI host and runs on Windows 2008 or higher.
    winrm set winrm/config/client @{TrustedHosts="<server_name>"}     
winrm get winrm/config/client /r:<transport>://
<server_name>:<port>/wsman /u:<user_id> /p:<password> /a:Negotiate
    Where:
    <transport>
    Is either HTTP or HTTPS.
    <server_name>
    Is the host name of the Hyper-V or Azure Stack HCI server. If you are using HTTPS, the host name must match the CN in the certificate.
    <port>
    Is the port number on which the WinRM Listener (HTTP or HTTPS) is set up.
    <user_id>
    Is the user ID that is used to connect to the Hyper-V or Azure Stack HCI server.
    <password>
    Is the password that is used to connect to the Hyper-V or Azure Stack HCI server.
    For example: 
    winrm set winrm/config/client @{TrustedHosts="myhyperv.ibm.com"}
winrm get winrm/config/client /r:https://
myhyperv.ibm.com:5986/wsman /u:administrator /p:abc /a:Negotiate
    The following error is often returned when a self-signed certificate is used: 
    WSManFault
Message = The server certificate on the destination computer (myhyperv.ibm.com:5986)
has the following errors: The SSL certificate is signed by an unknown certificate authority.
    If you receive this error, export the self-signed certificate from the Hyper-V or Azure Stack HCI host, and import it to the trusted Windows store on the computer where the VM Manager Tool is installed. For other errors, refer to Microsoft documentation for the returned error code.