Configure Windows Remote Management to allow the
License Metric Tool server to gather data about
virtualization topology of virtual machines installed in your infrastructure.
Before you begin
- To retrieve the data that is required to properly calculate PVU, you must have access to the
local administrator account on the Hyper-V or Azure Stack HCI host. It is necessary because the
Windows Management Instrumentation call that accesses MsCluster namespace requires an administrative
account.
- WinRM is accessed in the read-only mode. License Metric Tool does not modify the Hyper-V or Azure Stack HCI settings and does not affect them in
any other way. The obtained data is stored in the License Metric Tool database.
About this task
The WinRM service is an implementation of WS-Management specification that enables
cooperation between hardware and operating systems that come from different vendors. The License Metric Tool server connects to WinRM that is
defined as a VM manager by means of the VM Manager Tool and
collects data about virtualization hierarchy. Perform the following procedure on each Hyper-V or
Azure Stack HCI host in your infrastructure, including the hosts that are part of a cluster, to
ensure that the WinRM service is running and configured and to enable communication with the
License Metric Tool server.
Procedure
- Defining HTTP and HTTPS listeners. Communication with the WinRM
service might be enabled or disabled by default depending on the versions of Windows. To check
whether any listeners are currently defined, type the following command: winrm enumerate
winrm/config/listener. If no output is returned, no listeners are defined.
- To define the default HTTP listener, type the following command: winrm
quickconfig.
The command performs the following actions:
- Starts the WinRM service and sets it to start automatically with the system start.
- Creates an HTTP listener on the default port (accepting requests from any IP).
- Defines Internet Connection Firewall exceptions for the service.
- Opens the HTTP port. Depending on the version of the WinRM service, the default HTTP port might
be 80 or 5985.
For more information, see:
Installation and Configuration for Windows
Remote Management.
- To define a listener for secure connection (HTTPS), you must have a valid certificate
on the Hyper-V or Azure Stack HCI host with a CN that matches the host name that you are using to
connect to Hyper-V or Azure Stack HCI. You must also create a listener with the
CertificateThumbprint of that certificate. For more information, see the Microsoft documentation:
http://support.microsoft.com/kb/2019527.. You might be able to create a
self-signed certificate for testing purposes, however, you should consult your certificate
administrator.
Note: If an appropriate certificate is not found on the machine, the above command does not work and
the following output is returned
The certificate must have a CN matching the host name, be
appropriate for Server Authentication, and not be expired, revoked, or self-signed. If you
need to configure the WinRM Listener to use a self-signed certificate, run the following
command.
winrm create winrm/config/listener?Address=*+Transport=HTTPS
@{Hostname=”<the name of your server>”;CertificateThumbprint=”<certificate thumbprint>”}
In
this case, you must configure the firewall settings manually.
- Enabling WinRM Negotiate authentication scheme. The WinRM service offers
several authentication schemes to be used to authenticate the client side. The VM Manager Tool uses the Negotiate authentication scheme, which
is enabled by default.
- To check the current setting of this property, run the following command.
winrm get winrm/config/service/auth
- To set the required value of this property, run the following command.
winrm set winrm/config/service/auth @{Negotiate="true"}
- Setting WinRM AllowUnencrypted and AllowRemoteAccess properties. The
server requires these properties to be set to true.
- To check the current settings, run the following command.
winrm get winrm/config/service
- To set the required values of these properties, run the following command.
winrm set winrm/config/service @{AllowUnencrypted="true"}
winrm set winrm/config/service @{AllowRemoteAccess="true"}
Note: Setting this value to true does not mean that the sensitive data, such as
user names or passwords, will be passed in an unencrypted form over the network. Only the content of
the SOAP messages will be sent as a plain text. If this cannot be accepted because of security
reasons, define the HTTPS listener and use the secured transport (HTTPS) while defining a VM manager
in the License Metric Tool server so that the
TLS protocol is used to encrypt all the network traffic.
- Verifying the listener. After you define the HTTP or HTTPS listener, verify that
you can remotely connect to the Hyper-V or Azure Stack HCI server.
- On the Hyper-V or Azure Stack HCI server, determine the port on which the Windows
Remote Management client for the HTTP or HTTPS transport listens. Type the following command in the
Windows command line.
winrm enumerate winrm/config/listener
- If the port number is listed in the
Port
line, the listener was properly
created.
- If you receive an error or there is no information for the transport, the listener was not
created properly. Go back to step 1, and define the listener again.
- To verify the listener, run the following command.
winrm enumerate winrm/config/listener /r:<transport>://
<server_name>:<port>/wsman /u:<user_id> /p:<password> /a:Negotiate
Where:
- <transport>
- Is either HTTP or HTTPS.
- <server_name>
- Is the host name of the Hyper-V or Azure Stack HCI server. If you are using HTTPS, the host name
must match the CN in the certificate.
- <port>
- Is the port number that you obtained in the previous step.
- <user_id>
- Is the user ID that is used to connect to the Hyper-V or Azure Stack HCI server.
- <password>
- Is the password that is used to connect to the Hyper-V or Azure Stack HCI server.
For example:
winrm enumerate winrm/config/listener /r:https://
myhyperv.ibm.com:5986/wsman /u:administrator /p:abc /a:Negotiate
- Verifying whether the Virtual Machine Management Service (VMMS) is running. To
verify that the service that provides Hyper-V or Azure Stack HCI management is running, go to
on the Hyper-V or Azure Stack HCI server. Look for the
service called Hyper-V Virtual Machine Management or Azure Stack HCI Virtual Machine
Management.
- If the service exists, but is not running, start the service.
- If the service does not exist, the Hyper-V or Azure Stack HCI host was not configured
properly.
- Verifying the MsCluster resource. If the server is clustered, verify that you can
access the MsCluster namespace. On the Hyper-V or Azure Stack HCI server, type the following command
into the Windows command line.
winrm enumerate wmi/root/MsCluster/*
-dialect:"http://schemas.microsoft.com/wbem/wsman/1/WQL"
-filter:"SELECT PrivateProperties, Type FROM MsCluster_Resource
WHERE Type='Network Name' AND Flags='1'"
If this command fails, refer to Microsoft documentation about WMI for MsCluster.
- Verifying remote connectivity and the server certificate. To verify remote
connectivity and the server certificate, type the following command into the Windows command
line.
Restriction: Enter the following command on the Windows command line of the computer on
which the VM Manager Tool is installed. If the VM Manager Tool is not installed on a computer that runs on a Windows
operating system, use a computer that is not the Hyper-V or Azure Stack HCI host and runs on Windows
2008 or higher.
winrm set winrm/config/client @{TrustedHosts="<server_name>"}
winrm get winrm/config/client /r:<transport>://
<server_name>:<port>/wsman /u:<user_id> /p:<password> /a:Negotiate
Where:
- <transport>
- Is either HTTP or HTTPS.
- <server_name>
- Is the host name of the Hyper-V or Azure Stack HCI server. If you are using HTTPS, the host name
must match the CN in the certificate.
- <port>
- Is the port number on which the WinRM Listener (HTTP or HTTPS) is set up.
- <user_id>
- Is the user ID that is used to connect to the Hyper-V or Azure Stack HCI server.
- <password>
- Is the password that is used to connect to the Hyper-V or Azure Stack HCI server.
For example:
winrm set winrm/config/client @{TrustedHosts="myhyperv.ibm.com"}
winrm get winrm/config/client /r:https://
myhyperv.ibm.com:5986/wsman /u:administrator /p:abc /a:Negotiate
The following error is often returned when a self-signed certificate is used:
WSManFault
Message = The server certificate on the destination computer (myhyperv.ibm.com:5986)
has the following errors: The SSL certificate is signed by an unknown certificate authority.
If
you receive this error, export the self-signed certificate from the Hyper-V or Azure Stack HCI host,
and import it to the trusted Windows store on the computer where the
VM Manager Tool is installed. For other errors, refer to Microsoft
documentation for the returned error code.