31 Jul VMware Retires vHA: Introducing The New Health And Security Toolkit (HST)

Posted at 15:22h in Health and Security Toolkit, vCenter by

If you’ve done a health check in a VMware environment then you probably used vHA. It’s a nice tool that scans the environment. Then compares that to VMware best practices. This gives you a report on what needs to be fixed and what is okay that you can give the customer. There is another tool that TAMs use called TDM or TAM Data Manager. TDM and vHA have been combined to form the VMware Health and Security Toolkit or HST!

HST has three main components. The TDM that TAMs use to collect data on an environment, vHA for Health Assessments and SA or Security Assessment. TDM is primarily for TAMs so I’m not going to cover that and SA deservers a walkthrough of it’s own. I’m going to focus on the Health Assessment part of HST. Let’s get started.

Requesting Access to Health Analyzer and Security Assessment (Consultants/Partners Only)

As a consultant or a Broadcom partner you’ll need to request access to HA and SA before you will have access to those features. You will need to open an SR for each one. You can go directly to the TAM Tools Access Request HERE. Under Application you’ll need to select PS Tools for HA access and then open another SR and select HST Security Assessment for access to SA.

You now have to wait for approval. They might approve you the same day, or they might take two or three days. Once they approve you for both, you can request a Registration Key.

Requesting a Registration Key

Okay, so they finally approved your two requests. Now, if you’re in an environment with no internet access and you need to use Offline Login you will need a Registration Key. This is an automated process so it doesn’t take long. Just go to https://pstoolhub.broadcom.com/#/dashboard and fill out the form to request a key. You’ll want to make sure to select Health and Security Toolkit under Tool. Then put in the customers name. Broadcom wants to track what customers are using the tool, so you’ll want to request a new key for each customer. Also, the key’s are only good for 30 days. Once you fill out the required fields click Register. Your key should show up in your email within a minute or two.

Downloading HST

There are two ways you can run HST. You can run a Java version locally or deploy an OVA directly into the environment. You can find the download links for both versions and the User Guide HERE. I’ve been playing around with the JAVA version in my lab, so I’ll go over that one first. This is going to be the best use case for consultants since you can run it locally on your PC or laptop without having to deploy an OVF.

VMware HST JAVA

The JAVA version is super easy to use and the only prerequsite is to have at least JAVA SE Development Kit 21. The current version as of this writing is JDK 24 and you can download it HERE.

Once you install the JDK, navigate to the folder where you downloaded HST Java, unzip it, and double-click the HealthAndSecurityToolkit.jar file. I should note that the official documentation discourages running it this way due to potential warnings and errors. The official documentation says to run the jar file from a command prompt and also to setup environment variables after installing JDK. I did not setup any environment variables and I have been running HST by double-clicking the jar file and have not had any issues. If you encounter issues refer to the official documentation to setup your PC or laptop.

After you run the jar file the Java window will open where backend processes will start the server. Once that finishes the Connect button will light up and you can click it.

Once the page loads you’ll see three different ways to login. Customer, Broadcom or Partner, and Offline. With the Java version, the application disables the customer login option, so you don’t need to enter a username or password. Just click Login and you’re in.

VMware HST Virtual Appliance (OVF)

For a more permanent solution the customer can deploy HST as an appliance. The process is the same as any other OVF so I’ll skip over that and just focus on the Customize Template part of the OVF deployment.

You or your customer will need to fill in all or most of the fields under Customize template. It will give you a warning bar at the top of the window letting you know of any fields that don’t have valid values. You don’t need to configure everything if you’re using DHCP. But I suggest filling everything out so you have a static IP. That being the case, do make sure you have a DNS entry for the HST appliance in place ahead of time. After you fill out everything, click Next. Then click Finish to start the deployment.

Once the deployment finishes, power on the VM. Then navigate to it’s FQDN in a web browser. The first time you log in, the system prompts you to accept the EULA. Then you’ll see the three ways to login. Unlike with the JAVA version, under Customer Login the customer will need to enter the username and password that was setup during the OVF deployment.

Creating a Project and Running a Scan

Whether you use the Java or Appliance version, keep in mind that this is the “customer” view. What they see will be limited. Once the customer logs in, they need to create a project folder first.

Give the folder a name and click Create.

Once we have our Project Folder created we can create a Project.

On the Create Project window give the project a name, a description if you choose, then select what data to collect. I should note that when it comes to selecting the data sources, at this point vCenter/vSphere is the only option. VMware will hopefully add NSX, SDDC, and other products in the future to make this tool more robust.

For Application Selection, since I’m focusing on the HA part, I’ll briefly mention the TDM. This is going to pull all sorts of data about the customers environment that would be useful for a TAM. ESX host and all the info about them, vCenter’s and all their info, etc. The Anonymize data checkbox is going to sterilize any sensitive data in the report it spits out (IP addresses and such).

Now on to the Health Analyzer. After you check the box for vHA you’ll have the option to chose which version of vCenter the customer has. 7.X or 8.X. Click Next.

This page is where you add the vCenter/s. If the customer has a large number of them you can import them in from a file. When you click the import button, the system prompts you to upload a file, and it even provides a template you can download.

In my case I just have the one vCenter in my lab, so I’ll enter the information for it and click Validate All. This is just going to check the username and password.

Once the username and password are validated for each vCenter you’ll see a green dot appear next to them and you can click the Next button.

On the next page just confirm everything looks good and click Submit. The scanning will start and you’ll see a status bar for each vCenter. As with the old vHA tool, it’s only going to scan one vCenter at a time, so depending on how many are in the scan this could take a while.

Once the scan finishes there’s not much else the customer can do. They are unable to see the results of the scan. This is where you as the consultant will have some options.

Consultant/Partner Login

If you are onsite and the customer’s environment has internet access (not likely for DoD sites) you can login with SSO. If you need Offline Login this is where the key you requested will come in. There’s going to be some discretion on how you as a consultant/partner are logging into the tool depending on your situation. I recently used the new HST tool with a customer on a remote engagement and after the scan finished I had them Export the project and send me that file. After I downloaded the file, I ran the Java version on my PC and imported the customer’s project into my HST. Here’s how I did it.

In my case, I logged in with my key to simulate being offline. Then I created a New Folder. Now you can hover over the folder and click the three vertical dots and select Import Project.

Upload the import file then click Import. Now the project shows up and when we click on it we can see the Health Analyzer tab that is hidden from the customers view.

Now you can click on the Report button and you’ll have a JSON, Excel, and Word report that you can download to give to your customer. Just remember to edit the Word document before you give it to your customer.

Another way to approach things would be to login with SSO or Offline Login and run the scan from there. This is also where you would see the option for the Security Assessment.

Tags:
, , ,
Print page
1 Like
Chris Pope
[email protected]

Certified Senior Virtualization Engineer with over 13 years of experience designing, deploying, and optimizing VMware and Omnissa environments across secure DoD and NATO systems. Adept at streamlining hybrid cloud operations, executing complex P2V migrations, and enhancing disaster recovery. Skilled communicator who simplifies complex technology for users and teams.

No Comments

Post A Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.