6.5
Table Of Contents
- Getting Started with vSphere Command-Line Interfaces
- Contents
- About This Book
- Managing vSphere with Command-Line Interfaces
- Installing vCLI
- Running Host Management Commands in the ESXi Shell
- Running vCLI Host Management Commands
- Overview of Running vCLI Host Management Commands
- Protecting Passwords
- Authenticating Through vCenter Server and vCenter Single Sign-On
- Authenticating Directly to the Host
- Trust Relationship Requirement for ESXCLI Commands
- Common Options for vCLI Host Management Command Execution
- Using vCLI Commands in Scripts
- Run Host Management Commands from a Windows System
- Run Host Management Commands from a Linux System
- Running DCLI Commands
- Index
vCLI and Lockdown Mode
Lockdown mode can disable all direct root access to ESXi machines.
To make changes to ESXi systems in lockdown mode you must go through a vCenter Server system that
manages the ESXi system. You can use the vSphere Web Client or vCLI commands that support the --
vihost option. The following commands cannot run against vCenter Server systems and are therefore not
available in lockdown mode.
n
vifs
n
vicfg-user
n
vicfg-cfgbackup
n
vihostupdate
n
vmkfstools
n
vicfg-ipsec
If you have problems running a command on an ESXi host directly, without specifying a vCenter Server
target, check whether lockdown mode is enabled on that host. See the vSphere Security documentation.
Trust Relationship Requirement for ESXCLI Commands
Starting with vSphere 6.0, ESXCLI checks whether a trust relationship exists between the machine where
you run the ESXCLI command and the ESXi host. An error results if the trust relationship does not exist.
Download and Install the vCenter Server Certificate
You can download the vCenter Server root certicate by using a Web browser and add it to the trusted
certicates on the machine where you plan to run ESXCLI commands.
Procedure
1 Enter the URL of the vCenter Server system or vCenter Server Appliance into a Web browser.
2 Click the Download trusted root link.
3 Change the extension of the downloaded le to .zip. (The le is a ZIP le of all certicates in the
TRUSTED_ROOTS store).
4 Extract the ZIP le.
A certicates folder is extracted. The folder includes les with the extension .0. .1, and so on, which are
certicates, and les with the extension .r0, r1, and so on which are CRL les associated with the
certicates.
5 Add the trusted root certicates to the list of trusted roots.
The process diers depending on the platform that you are on.
What to do next
You can now run ESXCLI commands against any host that is managed by the trusted vCenter Server system
without supplying additional information if you specify the vCenter Server system in the --server option
and the ESXi host in the --vihost option.
Getting Started with vSphere Command-Line Interfaces
38 VMware, Inc.