Configure the Migration Hub Orchestrator plugin
The Migration Hub Orchestrator plugin is a virtual appliance that you can install in your on-premises VMware environment.
Important
The Migration Hub Orchestrator plugin must be able to communicate with the source and target environments to orchestrate and automate migrations. The version of the plugin that is deployed in vCenter supports VMware vCenter Server 6.0, 6.5, 6.7 and 7.0.
Download
To deploy the plugin as a virtual machine (VM) in your VMware environment, download the plugin Open Virtualization Archive (OVA) file using the following steps.
-
Sign in to the https://console.aws.amazon.com/migrationhub/orchestrator/
. -
In the left navigation pane, choose Orchestrate.
-
On the Migration Hub Orchestrator page, choose Download plugin.
-
After the plugin is downloaded to your on-premises VMware environment, you can deploy it in vCenter. Sign in to vCenter as a VMware administrator.
We recommend at least 8 GB of RAM and at least 4 CPUsfor the VM.
-
Deploy the OVA file that you downloaded. The OVA file includes the plugin and a CLI that can be used to access the Migration Hub Orchestrator API.
-
Sign in to the plugin using an SSH client.
ssh ec2-user@PluginIPAddress
When prompted for a password, enter the default password, plugin@123. You must change your password when you first sign in.
Tip
If you would like to use the plugin for multiple virtual machines, you can export the OVA file after you configure it, and import it to your desired source VM.
Configure
To configure the Migration Hub Orchestrator plugin using plugin setup commands, create a bash shell session in the plugin Docker container using the following command.
docker exec -it mhub-orchestrator-plugin bash
The plugin setup command runs all of the following commands in succession, but you can also run them individually:
-
plugin setup --aws-configurations
-
plugin setup --vcenter-configurations
-
plugin setup --remote-server-configurations
Run the following command to set up all of the plugin configurations at the same time. Then, enter the information for AWS configurations, vCenter configurations, and remote server configurations.
plugin setup
Topics
Set up AWS configurations
Set up AWS configurations using the plugin setup
command or the
plugin setup --aws-configurations
command.
-
Enter Y for yes to Have you setup IAM permissions.... You set up these permissions when you created an IAM user to access the plugin using the
AWSMigrationHubOrchestratorPlugin
managed policy following the steps in Setting up. -
Enter the IAM profile that you created in the Migration Hub Orchestrator plugin using the following command.
aws configure --profile <profile-name>
-
Enter your
access_key
andsecret_key
from the AWS account that has the IAM user that you created to access the plugin. -
Enter a Region. For example,
us-west-2
. Choose a Region that suits your needs from the Regions that Migration Hub Orchestrator uses. For a list of these Regions, see Migration Hub Orchestrator endpoints in the AWS General Reference. -
Enter Y for yes to Upload plugin related metrics to Migration Hub Orchestrator? Metrics data helps AWS to provide you with support.
-
Enter Y for yes to Upload plugin related logs to Migration Hub Orchestrator? Log data helps AWS to provide you with support.
Your configuration setup may look similar to this example.
plugin setup --aws-configurations Have you setup IAM permissions in your AWS account as per the user guide? [Y/N]: Y IAM Profile name: <profile-name> Upload plugin related metrics to Migration Hub Orchestrator? By default plugin will upload metrics. [Y/N]: Y Upload plugin related logs to Migration Hub Orchestrator? By default plugin will upload logs. [Y/N]: Y Plugin configurations are saved successfully Start registering plugin Start registering plugin Plugin is registered successfully.
Set up vCenter configurations
Set up vCenter configurations using the plugin setup
command or the
plugin setup --vcenter-configurations
command.
-
Enter Y or N to Would you like to authenticate using VMware vCenter credentials based on your preference.
Note
Authenticating using VMware vCenter credentials requires that VMware tools are installed on the target servers.
Enter the Host Url, which can be the vCenter IP address or the URL. Then, enter the Username and Password for VMware vCenter.
-
Enter Y for yes to Do you have Windows machines managed by VMware vCenter if you want to configure Windows servers. Then, enter the Username and Password for Windows.
Note
If your Windows Remote Server belongs to an Active Directory domain, you must enter the username as
domain-name
\username
when using the CLI to provide source server configurations. For example, if the name of your domain is exampledomain and your username is Administrator, then the username you enter in the CLI is exampledomain\Administrator. -
Enter Y for yes to Setup for Linux using VMware vCenter if you want to configure Linux servers. Then, enter the Username and Password for Linux.
-
Enter Y for yes to the Would you like to setup credentials for servers outside vCenter using NTLM for Windows and SSH/Cert based for Linux questions if you want to set up source server credentials for servers outside of vCenter.
-
For Would you like to use the same Windows credentials used during vCenter setup, enter Y for yes if the credentials for the Windows machines that are managed outside of vCenter are the same as the credentials provided when configuring credentials for vCenter Windows machines. Otherwise, enter N for no.
If you answer Y for yes, the following questions are asked.
-
Enter Y for yes to Are you okay with the plugin accepting and locally storing server certificates on your behalf during first interaction with windows servers?.
-
Enter 1 for Enter your options if you want to configure SSH authentication.
If you choose to use SSH authentication, you must copy the generated key credentials to your Linux servers. For more information, see Set up key-based authentication on Linux servers.
-
Your configuration setup may look similar to this example.
Start setting up vCenter configurations for remote execution Note: authenticating using VMware vCenter credentials requires VMware tools to be installed on the target servers Would you like to authenticate using VMware vCenter credentials? [Y/N]: Y Host Url for VMware vCenter:host-url
Username for VMware vCenter:username
Password for VMware vCenter: Successfully stored vCenter credentials... Setup for Windows using VMware vCenter? [Y/N]: Y Username for Windows:username
Password for Windows: Successfully stored vCenter windows credentials... Setup for Linux using VMware vCenter? [Y/N]: Y Username for Linux:username
Password for Linux: Successfully stored vCenter linux credentials... Would you like to setup credentials for servers outside vCenter using NTLM for windows and SSH/Cert based for linux? [Y/N]: Y Would you like to use the same Windows credentials used during vCenter setup? [Y/N]: Y Are you okay with plugin accepting and locally storing server certificates on your behalf during first interaction with windows servers? These certificates will be used by plugin for secure communication with windows servers [Y/N]:Y Successfully stored windows server credentials... Please note that all windows server certificates are stored in directory /opt/amazon/mhub-orchestrator-plugin/remote-auth/windows/certs Please note the IP address of the plugin and run the script specified in the user documentation on all the windows servers in your inventory Would you like to setup credentials for servers not managed by vCenter using SSH/Cert based for Linux? [Y/N]: Y Choose one of the following options for remote authentication: 1. SSH based authentication 2. Certificate based authentication Enter your options [1-2]: 1 Would you like to use the same Linux credentials used during vCenter setup? [Y/N]: Y Generating SSH key on this machine... SSH key pair path: /opt/amazon/mhub-orchestrator-plugin/remote-auth/linux/keys/id_rsa_assessment Please add the public key "id_rsa_assessment.pub" to the "$HOME/.ssh/authorized_keys" file in your remote machines. Your Linux remote server configurations are saved successfully.
Set up source server configurations
Set up source server configurations using the plugin setup
command or the
plugin setup --remote-server-configurations
command.
-
Enter Y for yes to Would you like to setup credentials for servers not managed by vCenter using NTLM for Windows if you want to configure Windows servers. Enter the Username and Password for WinRM.
Note
If your Windows Remote Server belongs to an Active Directory domain, you must enter the username as
domain-name
\username
when using the CLI to provide source server configurations. For example, if the name of your domain is exampledomain and your username is Administrator, then the user name you enter in the CLI is exampledomain\Administrator.Enter Y for yes to Are you okay with plugin accepting and locally storing server certificates on your behalf during first interaction with windows servers?. Windows Server certificates are stored in the directory
/opt/amazon/mhub-orchestrator-plugin/remote-auth/windows/certs
. You must copy the generated server credentials to your Windows servers. For more information, see Set up the source server configuration on Windows servers. -
Enter Y for yes to Setup for Linux using SSH or Cert if you want to configure Linux servers.
-
Enter 1 for Enter your options if you want to configure for SSH key based authentication. If you choose to use SSH authentication, you must copy the generated key credentials to your Linux servers. For more information, see Set up key-based authentication on Linux servers.
-
Enter 2 for Enter your options if you want to configure for certificate-based authentication. For information about setting up certificate-based authentication, see Set up certificate-based authentication on Linux servers.
Your configuration setup may look similar to this example.
Setting up target server for remote execution Would you like to setup credentials for servers not managed by vCenter using NTLM for Windows [Y/N]: Y Username for WinRM:username
//Enterdomain-name
\username
, if the server is in AD domain Password for WinRM:password
Are you okay with plugin accepting and locally storing server certificates on your behalf during first interaction with windows servers? These certificates will be used by plugin for secure communication with windows servers [Y/N]: Y Successfully stored windows server credentials... Please note that all windows server certificates are stored in directory /opt/amazon/mhub-orchestrator-plugin/remote-auth/windows/certs Please note the IP address of the plugin and run the script specified in the user documentation on all the windows servers in your inventory Would you like to setup credentials for servers not managed by vCenter using SSH/Cert based for Linux? [Y/N]: Y Choose one of the following options for remote authentication: 1. SSH based authentication 2. Certificate based authentication Enter your options [1-2]: 1 User name for remote server:username
Generating SSH key on this machine... SSH key pair path: /opt/amazon/mhub-orchestrator-plugin/remote-auth/linux/keys/id_rsa_assessment Please add the public key "id_rsa_assessment.pub" to the "$HOME/.ssh/authorized_keys" file in your remote machines. Your Linux remote server configurations are saved successfully.
Enable the Migration Hub Orchestrator plugin to communicate with source servers
Note
This step isn’t necessary if you set up the Migration Hub Orchestrator plugin using vCenter credentials.
After you set up your remote server configurations, if you are using the plugin
setup
or plugin setup --remote-server-configurations
command, you must
prepare your remote servers so that the Migration Hub Orchestrator plugin can collect data from them.
Note
You must make sure that the servers are reachable using their private IP address. For further instructions on how to set up the environment through a virtual private cloud (VPC) on AWS for remote running, see the Amazon Virtual Private Cloud User Guide.
Prepare source Linux servers
Set up key-based authentication on Linux servers
If you choose to set up SSH key-based authentication for Linux when configuring source server configurations, you must perform the following steps to set up key-based authentication on your servers so that the Migration Hub Orchestrator plugin can communicate with source server.
To set up key-based authentication on your Linux servers
-
Copy the public key that was generated with the name id_rsa_assessment.pub from the following folder in the container:
/opt/amazon/mhub-orchestrator-plugin/remote-auth/linux/keys.
-
Append the copied public key in the
$HOME/.ssh/authorized_keys
file for all of the remote machines. If there is no file available, create it using thetouch
orvim
command. -
Ensure that the home folder on the source server has a permission level of
755
or less. You can use thechmod
command to restrict permissions.
Set up certificate-based authentication on Linux servers
If you choose to set up certificate-based authentication for Linux when configuring source server configurations, you must perform the following steps so that the Migration Hub Orchestrator plugin can communicate with the source server.
We recommend this option if you already have Certificate Authority (CA) set up for your application servers.
To set up certificate-based authentication on your Linux servers
-
Copy the username that works with all of your remote servers.
-
Copy the public key of the plugin to the CA.
The public key for the plugin can be found in the following location:
/opt/amazon/mhub-orchestrator-plugin/remote-auth/linux/keys/id_rsa_assessment.pub
This public key must be added to your CA for generating the certificate.
-
Copy the certificate that was generated in the previous step to the following location in the plugin:
/opt/amazon/mhub-orchestrator-plugin/remote-auth/linux/keys
The name of the certificate must be id_rsa_assessment-cert.pub.
-
Provide the certificate file name during setup.
Set up the source server configuration on Windows servers
If you choose to set up Windows when you set up the source server in the plugin setup, you must perform the following steps so that the Migration Hub Orchestrator plugin can communicate with the source server.
To understand more about the PowerShell script that's executed on the source server, read this note.
The script enables PowerShell remote and disables all authentication methods other
than negotiate. This is used for Windows NT LAN Manager (NTLM) and sets the
"AllowUnencrypted" WSMan protocol to false to ensure that the newly created listener
accepts only encrypted traffic. Using the Microsoft provided script,
New-SelfSignedCertificateEx.ps1
, it creates a self-signed
certificate.
Any WSMan Instance that has an HTTP listener is removed, along with existing HTTPS listeners. Then, it creates a new HTTPS listener. It also creates an inbound firewall rule for TCP port 5986. In the final step, the WinRM service is restarted.
To set up a remote connection on Windows 2008 servers
-
Use the following command to check the version of PowerShell installed on your server.
$PSVersionTable
-
If the PowerShell version is not 5.1, then download and install WMF 5.1 by following the instructions at Install and Configure WMF 5.1
in the Microsoft documentation. -
Use the following command in a new PowerShell window to ensure that PowerShell 5.1 is installed.
$PSVersionTable
To set up a remote connection on Windows 2012 and newer servers
-
Download the setup script from the following URL:
-
Download the
New-SelfSignedCertificateEx.ps1
from the following URL and paste the script into the same folder in which you downloadedWinRMSetup.ps1
: -
To complete the setup, run the downloaded PowerShell script on all application servers.
.\WinRMSetup.ps1
Note
If Windows Remote Management (WinRM) is not set up properly on the Windows Remote Server, an attempt to communicate will fail. If this happens, you must delete the certificate that corresponds to that server from the following location on the container:
/opt/amazon/mhub-orchestrator-plugin/remote-auth/windows/certs/ads-server-id
.cer
After you delete the certificate, wait for the ongoing process to be retried.