Manage Lockdown Mode with New API in vSphere 4.1

As a feature, lockdown mode has been added to vSphere 4.0 . Enabling it disables all remote root access to an ESXi machine. Any local changes to the host must be using:

  • DCUI (Direct Console User Interface).
  • vSphere Client or vCLI connecting to vCenter.
  • vSphere Client or vCLI connecting to ESXi with a local user account on the host.

My colleague Duncan Epping has summarized a table showing whether you can change ESXi with different access methods in two modes.

Lost VMs or Containers? Too Many Consoles? Too Slow GUI? Time to learn how to "Google" and manage your VMware and clouds in a fast and secure HTML5 App.

As a general practice for better security, it’s recommended to enable lockdown mode. However the lockdown mode could be breached by adding root user to local groups, according to vSphere Hardening Guide ( see HCN03 on page 48). You may want to read it carefully.

You can manage lockdown mode through vSphere Client or DCUI, but not from public API until vSphere 4.1. As you would expect, there are two methods defined with the HostSystem type in vSphere Java API:

public void enterLockdownMode() throws HostConfigFault, RuntimeFault, RemoteException;
public void exitLockdownMode() throws HostConfigFault, RuntimeFault, RemoteException;

These two methods are pretty straightforward. To call these methods, the user must connect to vCenter and have “Host.Config.Settings” privilege though.




How to tell whether an ESXi host is in lockdown mode? You can easily tell from the “config. adminDisabled” sub-property as shown in the following code:

boolean lockeddown = host.getConfig().getAdminDisabled();

Please note this code works *ONLY* while you connect to vCenter directly, the same requirement for calling the two methods.

This entry was posted in vSphere API and tagged , , , . Bookmark the permalink. Post a comment or leave a trackback: Trackback URL.

Post a Comment

Your email is never published nor shared. Required fields are marked *


You may use these HTML tags and attributes <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>


    My company has created products like vSearch ("Super vCenter"), vijavaNG APIs, EAM APIs, ICE tool. We also help clients with virtualization and cloud computing on customized development, training. Should you, or someone you know, need these products and services, please feel free to contact me: steve __AT__

    Me: Steve Jin, VMware vExpert who authored the VMware VI and vSphere SDK by Prentice Hall, and created the de factor open source vSphere Java API while working at VMware engineering. Companies like Cisco, EMC, NetApp, HP, Dell, VMware, are among the users of the API and other tools I developed for their products, internal IT orchestration, and test automation.