Exploring The Lifecycle Management Endpoints Through Postman
While the official documentation explicitly details the different LCM API calls, to simplify their exploration you can import my Postman collection, Horizon Server API Shenanigans. The collection demonstrates various calls to the Horizon Server API, including the newer LCM APIs. You can easily import this collection into your own Postman environment by clicking on this Run in Postman button:
Once the import is complete you’ll have access to the entire Horizon Server API Shenanigans collection, including the, “Horizon LCM,” folder.
For more guidance on this Horizon Server API Shenanigans Postman collection, again, check out, No REST For The RESTful: Omnissa’s Horizon Server API. We'll be using preconfigured calls within this collection's Horizon LCM folder as we explore the LCM APIs.
Once you’ve copied this collection into your own instance of Postman you can begin to tailor the calls for your Horizon environment. At minimum you’ll need to update key collection variables, including the baseUrl for your Connection server, along with the username, password and domain for the Horizon administrator you intend to use for the LCM APIs.
Next comes the critical task of registering the server installer package. This will instruct target machines where to download both the Connection Server installer and the LCM.zip bundle.
To use a different version of Horizon Connection Server you’ll have to update these values accordingly. Upon successful execution you’ll get a 200 response, with a display of the new installer package ID.
Validating Target Machine Requirements
There’s 3 different pre-check endpoints you can use to validate perquisites on the target machine regarding Active Directory, vCenter and general system requirements. These calls are relatively straightforward to configure and can be found within the LCM Target Machine Validation folder of Horizon Server API Shenanigans. For example, to validate general system requirements we need only provide the FQDN of the target machine and Connection Server version we’re trying to upgrade to:
The Active Directory call requires nearly the same configuration, with the added requirement of a FQDN for AD:
Similarly, the vCenter pre-requisite check for vCenter requires 2 additional data points specific to the vCenter environment, the vCenter URL and vCenter version:
After receiving positive confirmation from these system check APIs we can confidently proceed with pushing out an install or upgrade.
Executing An Upgrade
With our installer package created and prerequisite checks passed performing an actual upgrade is a relatively straight forward process. We need to provide the FQDN of the target machine along with the server installer package ID and admin credentials.
Executing A Fresh Install
While executing a fresh Connection Server installation using the LCM APIs isn’t rocket science there is a bit more data entry required in terms of properly populating the request body with required values. This reflects the more complex nature of a fresh install that requires additional input such as specifying the deployment type and recovery passwords. If you navigate to the root of the Horizon LCM folder you'll find an example call to the install-connection-server endpoint.
This Swagger info, combined with an understanding of general install requirements, should get you everything you need for a successful install.
The LCM Sequence Folder
The Prerequisites At A High Level
To successfully execute these LCM APIs you need a Connection Server running at least Horizon 2406, the first version to offer these APIs. You’ll also need a Horizon admin account with special LCM management privileges as well as local administrative access to target machines. For the actual execution of the installer you’ll need the Windows Remote Management (WinRM) service running on both the target machine getting updated and the Horizon Connection server where the APIs are invoked. Most notably, you’ll need a web server to host the Connection Server installer and LCM bundle originally downloaded from Customer Connect. These requirements are called out in the Omnissa Horizon 8 Installation And Upgrade guide.
The current requirement for a web server with a legitimate SSL cert is tough, as it falls slightly outside the required skill set of your typical Horizon admin. Though future releases of the LCM API will support file shares for hosting the installer, in the current release a web server is an absolutely necessary. Fortunately, Horizon admins do typically have access to Windows servers and the following guidance will walk you through accommodating the web server requirement using Microsoft IIS. Along with digging deeper into this web server pre-requisite we'll cover some WinRM deployment considerations and testing options.
Setup IIS Through Server Administrator
Next, you need to add a virtual directory to this default web site.
Add A Virtual Directory To The Default Website
This will take you to the physical file system representing the root of your website. Create a new folder at the root and name it whatever you'd like. Copy the LCM.zip bundle and Connection server installer there.
At this point add a virtual directory to the website. Navigate back to IIS Manager, right click on the Default Web Site and select, “Add Virtual Directory." Define an alias for this virtual directory and define the physical path for this virtual directory by navigating to the folder you've just created.
Next, navigate to this new virtual folder under the Default Web Site. Select Directory Browsing.
Now, along with the default IIS page, you should be able to navigate to the virtual directory from the local browser. For example, if you created a virtual directory called installer you should be able to browser it by pointing your browser to http://localhost/installer.
If by chance you're looking to use an internal Microsoft CA, i.e., one that's not publicly trusted, there's an additional step required to get things working properly. You must import your root CA certificate for your internal CA into the JRE keystore located at JAVA_HOME\jre\lib\security\cacerts on your Connection Server. Otherwise, when you go to register your server installer build the LCM API won't recognize the file path to your Connection Server installer, complaining you're using an "Invalid file URL," despite having a valid URL when testing with a browser.
From here, I selected to export the CA in the DER encoded format, leading to a exported copy of my cert named evengooder_internal_ca.cer. Then I navigated to the directory:
C:\Program Files\VMware\VMware View\Server\jre\lib\security>
From there I ran the command:
..\\..\bin\keytool.exe -import -trustcacerts -alias evengooderCA -file c:\software\evengooder_internal_ca.cer -keystore cacerts
When executing the command you'll be prompted for the keystore password. The default password for JRE keystore is, "changeit".
C:\Program Files\VMware\VMware View\Server\jre\bin>keytool.exe -list -cacerts >> c:\software\trusted_ca.txt
When navigating through the output I was able to locate my internal certificate authority. The ultimate confirmation that things had gone right was when my server installer package started registering properly, without the, "Invalid file url," error I was getting prior.
I had originally anticipated more WinRM configuration, but it just wasn’t necessary in my lab. To my understanding, because both machines were joined to the same domain it wasn’t necessary to run, “winrm quickconfig,” or add trusted hosts. Folks with unusual situations where the Connection Server is on a different domain than the target machine might require additional WinRM configs to get things working. Otherwise, I think this WinRM requirement should be easy for typical Horizon environments to handle.
Though adopting the LCM APIs is not for the faint of heart it's well worth the trouble. In addition to it's already impressive functionality there's plans to extend it's scope to other Horizon infrastructure. Most Horizon admins stand to benefit from it's current capabilities, let alone it's future expanded ones. If you end up taking this technology for a test spin please let me know how it goes in the comments below.