This handbook provides a complete, step-by-step health check procedure for VMware vCenter Server 8.x deployed within a VCF 9.0 environment. It is designed for VMware administrators who need to verify vCenter Server health during:
| Area | Components Checked |
|---|---|
| Core Services | VPXD, vmon services, service-control status |
| Appliance Health | VAMI REST API health endpoints for system, memory, storage, load, swap |
| Database | Embedded PostgreSQL health, VCDB size, vacuum status |
| High Availability | VCHA mode, active/passive/witness, failover readiness |
| Certificates | Machine SSL, STS, VECS stores, certificate expiry |
| Storage | Disk partitions, log storage, database storage, filesystem utilization |
| Performance | CPU, memory, swap, load average via API and CLI |
| Identity | SSO domain, identity sources, LDAP/AD binding, token validation |
| Plugins | Registered extensions, plugin health, stale cleanup |
| Lookup Service | Service registrations, STS health, PSC endpoints |
| Inventory | Datacenter/cluster/host/VM counts, consistency |
| Logging | Syslog forwarding, log rotation, log bundle generation |
| Time Sync | NTP configuration, drift check |
Each check in this handbook follows a consistent format:
$VC_FQDN = vCenter Server FQDN (e.g., vcenter01.lab.local)$VC_USER = administrator@vsphere.local$VC_PASS = vCenter SSO administrator password$VC_TOKEN = Session token obtained via authentication API
| Access Type | Details |
|---|---|
| SSH Access | Root shell access to vCenter Appliance (enable via VAMI if disabled) |
| VAMI Access | https://$VC_FQDN:5480 -- root credentials |
| vSphere Client | https://$VC_FQDN/ui -- administrator@vsphere.local |
| REST API | https://$VC_FQDN/api -- session-based authentication |
| SDDC Manager | For VCF-specific lifecycle checks |
| Tool | Purpose |
|---|---|
curl |
REST API calls from jump host or local machine |
jq |
JSON parsing of API responses |
openssl |
Certificate inspection and expiry checks |
| SSH client | Shell access for CLI commands |
| Web browser | VAMI and vSphere Client access |
Set these variables before running commands:
# vCenter connection variables
export VC_FQDN="vcenter01.lab.local"
export VC_USER="administrator@vsphere.local"
export VC_PASS='YourPasswordHere'
# Obtain a session token
export VC_TOKEN=$(curl -sk -X POST \
"https://${VC_FQDN}/api/session" \
-u "${VC_USER}:${VC_PASS}" | tr -d '"')
# Verify the token was obtained
echo "Session Token: ${VC_TOKEN}"
read -s VC_PASS for interactive password entry. Destroy sessions when finished with: curl -sk -X DELETE "https://${VC_FQDN}/api/session" -H "vmware-api-session-id: ${VC_TOKEN}"
If SSH is not enabled, enable it via VAMI:
https://$VC_FQDN:5480curl -sk -X PUT \
"https://${VC_FQDN}/api/appliance/access/ssh" \
-H "vmware-api-session-id: ${VC_TOKEN}" \
-H "Content-Type: application/json" \
-d '{"enabled": true}'
| # | Check | Command / Endpoint | Pass | Warn | Fail |
|---|---|---|---|---|---|
| 4.1 | VPXD Process | service-control --status vmware-vpxd |
RUNNING | -- | STOPPED |
| 5.1 | All vCenter Services | service-control --status --all |
All STARTED | 1-2 non-critical stopped | Critical stopped |
| 6.1 | System Health (VAMI) | /api/appliance/health/system |
green | yellow | orange/red |
| 6.2 | Memory Health | /api/appliance/health/mem |
green | yellow | orange/red |
| 6.3 | Storage Health | /api/appliance/health/storage |
green | yellow | orange/red |
| 6.4 | Database Storage | /api/appliance/health/database-storage |
green | yellow | orange/red |
| 6.5 | CPU Load | /api/appliance/health/load |
green | yellow | orange/red |
| 6.6 | Swap Health | /api/appliance/health/swap |
green | yellow | orange/red |
| 6.7 | Software Packages | /api/appliance/health/softwarepackages |
green | yellow | red |
| 7.1 | PostgreSQL Status | systemctl status vmware-vpostgres |
active | -- | inactive |
| 7.2 | VCDB Size | SQL query | <50GB | 50-80GB | >80GB |
| 8.1 | VCHA Mode | /api/vcenter/vcha/cluster/mode |
ENABLED | -- | DISABLED |
| 9.1 | Machine SSL Cert | openssl expiry check |
>60 days | 30-60 days | <30 days |
| 9.3 | STS Certificate | /usr/lib/vmware-vmca check |
>60 days | 30-60 days | <30 days |
| 10.1 | Disk Utilization | df -h |
<70% | 70-85% | >85% |
| 11.1 | CPU Utilization | API + top |
<70% | 70-85% | >85% |
| 11.2 | Memory Utilization | API + free |
<80% | 80-90% | >90% |
| 12.1 | SSO Domain | sso-config.sh |
Healthy | -- | Error |
| 14.1 | Lookup Service | lstool.py |
Registered | -- | Missing |
| 17.1 | NTP Sync | /api/appliance/ntp |
Synced | Drift >1s | Not configured |
The VPXD (VMware VirtualCenter Server Daemon) is the core service of vCenter Server. It manages ESXi hosts, virtual machines, storage, and networking. If VPXD is down, the entire vCenter is non-functional.
# Check VPXD service status
service-control --status vmware-vpxd
Expected Output (Healthy):
VMware vCenter Server:Status: RUNNING
systemctl status vmware-vpxd
Expected Output (Healthy):
● vmware-vpxd.service - VMware vCenter Server
Loaded: loaded (/usr/lib/systemd/system/vmware-vpxd.service; enabled)
Active: active (running) since Mon 2026-03-23 10:15:22 UTC; 3 days ago
Main PID: 5432 (vpxd)
Tasks: 312
Memory: 2.1G
CGroup: /system.slice/vmware-vpxd.service
└─5432 /usr/lib/vmware-vpxd/vpxd
curl -sk -X GET \
"https://${VC_FQDN}/api/vcenter/services/vmware-vpxd" \
-H "vmware-api-session-id: ${VC_TOKEN}" | jq .
| Condition | Result | Badge |
|---|---|---|
| Status = RUNNING, Active (running) | Healthy | PASS |
| Status = STARTING (briefly during boot) | Transitional | WARN |
| Status = STOPPED or inactive (dead) | Critical failure | FAIL |
service-control --start vmware-vpxdtail -200 /var/log/vmware/vpxd/vpxd.lognetstat -tlnp | grep 443systemctl status vmware-vpostgresservice-control --stop --all && service-control --start --all
# Stop then start VPXD
service-control --stop vmware-vpxd
sleep 10
service-control --start vmware-vpxd
# Verify it came back
service-control --status vmware-vpxd
# Nuclear option -- restarts all vCenter services
service-control --stop --all
sleep 15
service-control --start --all
# Verify all services
service-control --status --all
| Log File | Purpose |
|---|---|
/var/log/vmware/vpxd/vpxd.log |
Main VPXD log -- service operations, errors |
/var/log/vmware/vpxd/vpxd-alert.log |
Critical alerts only |
/var/log/vmware/vpxd/vpxd-profiler.log |
Performance profiling data |
/var/log/vmware/vpxd/vpxd-svcs.log |
Service-level operations |
# Last 50 error entries in VPXD log
grep -i "error\|fatal\|panic\|exception" /var/log/vmware/vpxd/vpxd.log | tail -50
# Check for crash indicators
grep -c "core dump\|segfault\|SIGABRT" /var/log/vmware/vpxd/vpxd.log
# Check VPXD alert log
cat /var/log/vmware/vpxd/vpxd-alert.log | tail -20
Expected Output (Healthy): No recent fatal errors, no crash indicators, alert log empty or minimal entries.
| Condition | Badge |
|---|---|
| No errors or only informational entries | PASS |
| Warning-level entries present | WARN |
| Fatal/crash/exception entries in last 24h | FAIL |
The vmon-cli utility manages vCenter services at the vMon (VMware Service Lifecycle Manager) level.
vmon-cli --list
Expected Output (Healthy):
analyticss STARTED
applmgmt STARTED
certificateauthority STARTED
certificatemanagement STARTED
cis-license STARTED
content-library STARTED
eam STARTED
envoy STARTED
hvc STARTED
imagebuilder STARTED
infraprofile STARTED
lookupsvc STARTED
netdumper STARTED
observability STARTED
perfcharts STARTED
pschealth STARTED
rbd STARTED
rhttpproxy STARTED
sca STARTED
sps STARTED
statsmonitor STARTED
sts STARTED
topologysvc STARTED
trustmanagement STARTED
updatemgr STARTED
vapi-endpoint STARTED
vcha STARTED
vlcm STARTED
vmcam STARTED
vmonapi STARTED
vmware-vpostgres STARTED
vpxd STARTED
vpxd-svcs STARTED
vsan-health STARTED
vsm STARTED
vsphere-ui STARTED
vstats STARTED
vtsdb STARTED
wcp STARTED
# Check a single service
vmon-cli --status vpxd
# Check multiple services
for svc in vpxd lookupsvc sts vmware-vpostgres vsphere-ui; do
echo "$svc: $(vmon-cli --status $svc)"
done
service-control --status --all
Expected Output (Healthy):
VMware vCenter Server:Status: RUNNING
VMware vAPI Endpoint:Status: RUNNING
VMware Content Library:Status: RUNNING
VMware Certificate Authority:Status: RUNNING
VMware Identity Management Service:Status: RUNNING
VMware Lookup Service:Status: RUNNING
VMware Security Token Service:Status: RUNNING
VMware vSphere Client:Status: RUNNING
VMware vSphere Update Manager:Status: RUNNING
VMware PostgreSQL:Status: RUNNING
VMware HTTP Reverse Proxy:Status: RUNNING
VMware Envoy Service:Status: RUNNING
...
(all services RUNNING)
# Stop a specific service
service-control --stop vmware-updatemgr
# Start a specific service
service-control --start vmware-updatemgr
# Restart a specific service (stop + start)
service-control --stop vmware-vsphere-ui && service-control --start vmware-vsphere-ui
| Service | Criticality | Impact if Stopped |
|---|---|---|
vpxd |
CRITICAL | vCenter completely non-functional |
vmware-vpostgres |
CRITICAL | Database unavailable, all services fail |
vmware-sts |
CRITICAL | SSO authentication fails, no logins |
lookupsvc |
CRITICAL | Service discovery fails |
rhttpproxy |
CRITICAL | All HTTPS endpoints inaccessible |
envoy |
CRITICAL | Reverse proxy down, API unreachable |
vpxd-svcs |
HIGH | vCenter sub-services degraded |
vsphere-ui |
HIGH | vSphere Client (HTML5) unavailable |
vapi-endpoint |
HIGH | REST API unavailable |
vmware-sps |
MEDIUM | Storage profile service down |
content-library |
MEDIUM | Content library operations fail |
updatemgr |
MEDIUM | vSphere Lifecycle Manager offline |
vlcm |
MEDIUM | Lifecycle operations unavailable |
eam |
MEDIUM | ESX Agent Manager down |
perfcharts |
LOW | Performance charts unavailable |
imagebuilder |
LOW | Image building unavailable |
vstats |
LOW | vStats collection paused |
netdumper |
LOW | Network core dump receiver offline |
analytics |
LOW | CEIP analytics paused |
| Condition | Badge |
|---|---|
| All services RUNNING | PASS |
| 1-2 LOW/MEDIUM services stopped | WARN |
| Any CRITICAL/HIGH service stopped | FAIL |
service-control --start <service-name>service-control --start --alljournalctl -u <service-name> --no-pager -n 100reboot (from appliance shell)
The VAMI (vCenter Server Appliance Management Interface) REST API provides health status for all key appliance subsystems. These endpoints return standardized color-coded health states: green, yellow, orange, red, gray.
green = Healthy | yellow = Warning, degraded | orange = Degraded, action needed | red = Critical failure | gray = Unknown / not available
curl -sk -X GET \
"https://${VC_FQDN}/api/appliance/health/system" \
-H "vmware-api-session-id: ${VC_TOKEN}"
Expected Output:
"green"
curl -sk -X GET \
"https://${VC_FQDN}/api/appliance/health/system?messages=true" \
-H "vmware-api-session-id: ${VC_TOKEN}" | jq .
| Condition | Badge |
|---|---|
"green" |
PASS |
"yellow" |
WARN |
"orange" or "red" |
FAIL |
curl -sk -X GET \
"https://${VC_FQDN}/api/appliance/health/mem" \
-H "vmware-api-session-id: ${VC_TOKEN}"
Expected Output:
"green"
| Condition | Threshold | Badge |
|---|---|---|
"green" |
Memory utilization < 80% | PASS |
"yellow" |
Memory utilization 80-95% | WARN |
"orange" / "red" |
Memory utilization > 95% or OOM | FAIL |
top -o %MEMservice-control --stop vmware-vpxd && service-control --start vmware-vpxdgrep -i "out of memory\|oom" /var/log/vmware/vpxd/vpxd.logcurl -sk -X GET \
"https://${VC_FQDN}/api/appliance/health/storage" \
-H "vmware-api-session-id: ${VC_TOKEN}"
Expected Output:
"green"
| Condition | Threshold | Badge |
|---|---|---|
"green" |
All partitions below warning threshold | PASS |
"yellow" |
One or more partitions 70-85% full | WARN |
"orange" / "red" |
Partitions > 85% full | FAIL |
curl -sk -X GET \
"https://${VC_FQDN}/api/appliance/health/database-storage" \
-H "vmware-api-session-id: ${VC_TOKEN}"
Expected Output:
"green"
| Condition | Threshold | Badge |
|---|---|---|
"green" |
DB storage utilization < 70% | PASS |
"yellow" |
DB storage utilization 70-85% | WARN |
"orange" / "red" |
DB storage utilization > 85% | FAIL |
curl -sk -X GET \
"https://${VC_FQDN}/api/appliance/health/load" \
-H "vmware-api-session-id: ${VC_TOKEN}"
Expected Output:
"green"
| Condition | Threshold | Badge |
|---|---|---|
"green" |
Load average within normal range | PASS |
"yellow" |
Load average elevated | WARN |
"orange" / "red" |
Load critically high | FAIL |
curl -sk -X GET \
"https://${VC_FQDN}/api/appliance/health/swap" \
-H "vmware-api-session-id: ${VC_TOKEN}"
Expected Output:
"green"
| Condition | Threshold | Badge |
|---|---|---|
"green" |
Swap usage minimal or zero | PASS |
"yellow" |
Swap usage moderate | WARN |
"orange" / "red" |
Swap usage critically high | FAIL |
free -m and swapon --showfor pid in /proc/[0-9]*; do awk '/VmSwap/{print FILENAME,$0}' $pid/status 2>/dev/null; done | sort -k3 -rn | head -20curl -sk -X GET \
"https://${VC_FQDN}/api/appliance/health/softwarepackages" \
-H "vmware-api-session-id: ${VC_TOKEN}"
Expected Output:
"green"
| Condition | Badge |
|---|---|
"green" -- All packages consistent |
PASS |
"yellow" -- Minor package inconsistencies |
WARN |
"red" -- Package corruption or missing packages |
FAIL |
Run all health checks at once:
echo "=== vCenter Appliance Health Summary ==="
for endpoint in system mem storage database-storage load swap softwarepackages; do
result=$(curl -sk -X GET \
"https://${VC_FQDN}/api/appliance/health/${endpoint}" \
-H "vmware-api-session-id: ${VC_TOKEN}" | tr -d '"')
printf "%-25s : %s\n" "$endpoint" "$result"
done
Expected Output (All Healthy):
=== vCenter Appliance Health Summary ===
system : green
mem : green
storage : green
database-storage : green
load : green
swap : green
softwarepackages : green
vCenter Server 8.x uses an embedded PostgreSQL database (vPostgres) for all configuration and inventory data. Database health is foundational to vCenter operations.
# Check vPostgres service
systemctl status vmware-vpostgres
Expected Output (Healthy):
● vmware-vpostgres.service - VMware Postgres
Loaded: loaded (/usr/lib/systemd/system/vmware-vpostgres.service; enabled)
Active: active (running) since Mon 2026-03-23 10:14:55 UTC; 3 days ago
Main PID: 4821 (postgres)
Tasks: 48
Memory: 512.3M
CGroup: /system.slice/vmware-vpostgres.service
├─4821 /opt/vmware/vpostgres/current/bin/postgres -D /storage/db/vpostgres
├─4910 postgres: checkpointer
├─4911 postgres: background writer
└─ ...
# Connect to VCDB and run a basic query
/opt/vmware/vpostgres/current/bin/psql -U postgres -d VCDB -c "SELECT version();"
Expected Output:
version
------------------------------------------------------------------------------------------------------------
PostgreSQL 14.x (VMware Postgres 14.x) on x86_64-unknown-linux-gnu, compiled by gcc ...
(1 row)
| Condition | Badge |
|---|---|
| Service active (running), query succeeds | PASS |
| Service active but slow queries | WARN |
| Service inactive or query fails | FAIL |
# Check total VCDB size
/opt/vmware/vpostgres/current/bin/psql -U postgres -d VCDB -c \
"SELECT pg_size_pretty(pg_database_size('VCDB')) AS db_size;"
Expected Output:
db_size
---------
12 GB
(1 row)
/opt/vmware/vpostgres/current/bin/psql -U postgres -d VCDB -c "
SELECT
schemaname || '.' || tablename AS table_full_name,
pg_size_pretty(pg_total_relation_size(schemaname || '.' || tablename)) AS total_size
FROM pg_tables
WHERE schemaname NOT IN ('pg_catalog', 'information_schema')
ORDER BY pg_total_relation_size(schemaname || '.' || tablename) DESC
LIMIT 15;"
Expected Output:
table_full_name | total_size
----------------------------------+------------
vc.vpx_event_arg | 3200 MB
vc.vpx_event | 2100 MB
vc.vpx_task_event | 1800 MB
vc.vpx_stat_counter | 980 MB
vc.vpx_task | 850 MB
...
(15 rows)
| Condition | Badge |
|---|---|
| VCDB size < 50 GB | PASS |
| VCDB size 50 - 80 GB | WARN |
| VCDB size > 80 GB | FAIL |
task.maxAge and event.maxAge to 30 days/opt/vmware/vpostgres/current/bin/psql -U postgres -d VCDB -c "DELETE FROM vc.vpx_event WHERE create_time < NOW() - INTERVAL '30 days';"/opt/vmware/vpostgres/current/bin/psql -U postgres -d VCDB -c "VACUUM FULL ANALYZE;"
/opt/vmware/vpostgres/current/bin/psql -U postgres -d VCDB -c "
SELECT
schemaname || '.' || relname AS table_name,
last_vacuum,
last_autovacuum,
last_analyze,
n_dead_tup
FROM pg_stat_user_tables
WHERE n_dead_tup > 1000
ORDER BY n_dead_tup DESC
LIMIT 10;"
Expected Output:
table_name | last_vacuum | last_autovacuum | last_analyze | n_dead_tup
-------------------------+-----------------------+----------------------+-----------------------+------------
vc.vpx_event_arg | 2026-03-25 02:00:01 | 2026-03-25 14:30:22 | 2026-03-25 02:00:01 | 2341
vc.vpx_event | 2026-03-25 02:00:01 | 2026-03-25 14:28:11 | 2026-03-25 02:00:01 | 1822
...
# Standard vacuum (non-blocking)
/opt/vmware/vpostgres/current/bin/psql -U postgres -d VCDB -c "VACUUM ANALYZE;"
# Full vacuum (blocking, reclaims space)
/opt/vmware/vpostgres/current/bin/psql -U postgres -d VCDB -c "VACUUM FULL ANALYZE;"
VACUUM FULL acquires an exclusive lock on each table and rewrites the entire table. Only run during a maintenance window. Standard VACUUM ANALYZE is safe to run at any time.
| Condition | Badge |
|---|---|
| Autovacuum ran in last 24h, dead tuples < 10,000 | PASS |
| Autovacuum > 48h ago or dead tuples 10,000 - 100,000 | WARN |
| No vacuum in 7+ days or dead tuples > 100,000 | FAIL |
vCenter High Availability (VCHA) provides automated failover for vCenter Server using an active/passive/witness architecture.
curl -sk -X GET \
"https://${VC_FQDN}/api/vcenter/vcha/cluster/mode" \
-H "vmware-api-session-id: ${VC_TOKEN}" | jq .
Expected Output (VCHA Enabled):
{
"mode": "ENABLED"
}
curl -sk -X POST \
"https://${VC_FQDN}/api/vcenter/vcha/cluster?action=get" \
-H "vmware-api-session-id: ${VC_TOKEN}" \
-H "Content-Type: application/json" \
-d '{"partial": false}' | jq .
Expected Output (Healthy VCHA):
{
"config_state": "CONFIGURED",
"mode": "ENABLED",
"health_state": "HEALTHY",
"node1": {
"state": "UP",
"role": "ACTIVE",
"runtime": {
"ip": {
"ipv4": { "address": "10.0.0.101" }
}
}
},
"node2": {
"state": "UP",
"role": "PASSIVE",
"runtime": {
"ip": {
"ipv4": { "address": "10.0.0.102" }
}
}
},
"witness": {
"state": "UP",
"runtime": {
"ip": {
"ipv4": { "address": "10.0.0.103" }
}
}
}
}
| Condition | Badge |
|---|---|
| mode=ENABLED, health_state=HEALTHY, all nodes UP | PASS |
| mode=ENABLED but one node degraded | WARN |
| mode=DISABLED or health_state not HEALTHY | FAIL |
# Check VCHA state via CLI
/usr/lib/vmware-vcha/vcha-cli cluster-get-state
Expected Output:
VCHA Cluster State: HEALTHY
Active Node State: UP
Passive Node State: UP
Witness Node State: UP
Replication State: IN_SYNC
# Check replication lag from active node
/opt/vmware/vpostgres/current/bin/psql -U postgres -c \
"SELECT client_addr, state, sent_lsn, write_lsn, flush_lsn, replay_lsn,
(sent_lsn - replay_lsn) AS replication_lag
FROM pg_stat_replication;"
| Condition | Badge |
|---|---|
| Replication state IN_SYNC, lag = 0 | PASS |
| Replication active but lag > 0 | WARN |
| Replication not running | FAIL |
# Initiate planned failover via API
curl -sk -X POST \
"https://${VC_FQDN}/api/vcenter/vcha/cluster?action=failover" \
-H "vmware-api-session-id: ${VC_TOKEN}" \
-H "Content-Type: application/json" \
-d '{"planned": true}'
ping <passive-ip>ping <witness-ip>/var/log/vmware/vcha/vcha.logCertificate expiry is one of the most common causes of vCenter outages. Regular monitoring of all certificate stores is essential.
# Launch Certificate Manager (interactive)
/usr/lib/vmware-vmca/bin/certificate-manager
This interactive tool provides options:
/usr/lib/vmware-vmafd/bin/vecs-cli store list
Expected Output:
MACHINE_SSL_CERT
TRUSTED_ROOTS
TRUSTED_ROOT_CRLS
machine
vsphere-webclient
vpxd
vpxd-extension
hvc
data-encipherment
APPLMGMT_PASSWORD
SMS
wcp
backup_store
# List Machine SSL certificate
/usr/lib/vmware-vmafd/bin/vecs-cli entry list --store MACHINE_SSL_CERT
Expected Output:
Alias : __MACHINE_CERT
Entry type : Private Key
/usr/lib/vmware-vmafd/bin/vecs-cli entry getcert \
--store MACHINE_SSL_CERT --alias __MACHINE_CERT | \
openssl x509 -noout -subject -issuer -dates -serial
Expected Output:
subject=CN = vcenter01.lab.local
issuer=CN = CA, DC = vsphere, DC = local, C = US, ST = California, O = lab.local
notBefore=Jan 15 00:00:00 2026 GMT
notAfter=Jan 15 00:00:00 2028 GMT
serial=3A4B5C6D7E8F
The Security Token Service (STS) signing certificate is critical for SSO authentication.
# Extract and check the STS signing certificate
/usr/lib/vmware-vmafd/bin/dir-cli trustedcert list \
--login administrator@vsphere.local \
--password "${VC_PASS}" | head -20
# Get STS certificate from LDAP
/usr/lib/vmware-vmdir/bin/ldapsearch -h localhost -p 389 \
-b "cn=TenantCredential-1,cn=local,cn=Tenants,cn=IdentityManager,cn=Services,dc=vsphere,dc=local" \
-D "cn=administrator,cn=users,dc=vsphere,dc=local" \
-w "${VC_PASS}" \
userCertificate 2>/dev/null | grep -A1 "userCertificate"
# VMware-provided STS cert check script
python /usr/lib/vmware-vmca/share/config/checksts.py
Expected Output (Healthy):
STS signing certificate:
Subject: CN=ssoserver-sign
Not Before: Jan 15 00:00:00 2026 GMT
Not After: Jan 15 00:00:00 2028 GMT
Days remaining: 661
Status: VALID
| Condition | Badge |
|---|---|
| STS cert > 60 days until expiry | PASS |
| STS cert 30 - 60 days until expiry | WARN |
| STS cert < 30 days or expired | FAIL |
# Check Machine SSL cert expiry remotely
echo | openssl s_client -connect ${VC_FQDN}:443 -servername ${VC_FQDN} 2>/dev/null | \
openssl x509 -noout -subject -issuer -dates -checkend 2592000
Expected Output (Healthy):
subject=CN = vcenter01.lab.local
issuer=CN = CA, DC = vsphere, DC = local
notBefore=Jan 15 00:00:00 2026 GMT
notAfter=Jan 15 00:00:00 2028 GMT
Certificate will not expire
for store in machine vsphere-webclient vpxd vpxd-extension; do
echo "=== Store: ${store} ==="
/usr/lib/vmware-vmafd/bin/vecs-cli entry getcert \
--store ${store} --alias ${store} 2>/dev/null | \
openssl x509 -noout -subject -dates 2>/dev/null
done
# Check all VECS stores for certificate expiry
for store in $(/usr/lib/vmware-vmafd/bin/vecs-cli store list); do
for alias in $(/usr/lib/vmware-vmafd/bin/vecs-cli entry list --store ${store} 2>/dev/null | grep "Alias" | awk '{print $3}'); do
CERT=$(/usr/lib/vmware-vmafd/bin/vecs-cli entry getcert --store ${store} --alias ${alias} 2>/dev/null)
if [ -n "$CERT" ]; then
EXPIRY=$(echo "$CERT" | openssl x509 -noout -enddate 2>/dev/null | cut -d= -f2)
DAYS=$(echo "$CERT" | openssl x509 -noout -checkend 0 2>/dev/null && echo "VALID" || echo "EXPIRED")
printf "Store: %-25s Alias: %-25s Expires: %-30s Status: %s\n" "$store" "$alias" "$EXPIRY" "$DAYS"
fi
done
done
curl -sk -X GET \
"https://${VC_FQDN}/api/vcenter/certificate-management/vcenter/tls" \
-H "vmware-api-session-id: ${VC_TOKEN}" | jq '{
subject: .subject_dn,
issuer: .issuer_dn,
valid_from: .valid_from,
valid_to: .valid_to
}'
Expected Output:
{
"subject": "CN=vcenter01.lab.local",
"issuer": "CN=CA, DC=vsphere, DC=local",
"valid_from": "2026-01-15T00:00:00.000Z",
"valid_to": "2028-01-15T00:00:00.000Z"
}
| Condition | Badge |
|---|---|
| All certificates > 60 days until expiry | PASS |
| Any certificate 30 - 60 days until expiry | WARN |
| Any certificate < 30 days or expired | FAIL |
/usr/lib/vmware-vmca/bin/certificate-manager option 8 (reset) as last resortdf -h
Expected Output (Healthy):
Filesystem Size Used Avail Use% Mounted on
/dev/sda3 11G 4.2G 6.1G 41% /
tmpfs 6.0G 48M 5.9G 1% /dev/shm
/dev/sda1 128M 32M 97M 25% /boot
/dev/sda5 25G 5.8G 18G 25% /storage/log
/dev/sda6 10G 2.1G 7.4G 22% /storage/db
/dev/sda8 50G 9.2G 38G 20% /storage/seat
/dev/sda9 25G 3.3G 20G 15% /storage/netdump
/dev/sda10 10G 1.2G 8.2G 13% /storage/autodeploy
/dev/sda11 10G 836M 8.6G 9% /storage/imagebuilder
/dev/sda12 10G 2.5G 7.0G 27% /storage/updatemgr
/dev/sda13 5G 63M 4.7G 2% /storage/lifecycle
df -ih
| Partition | Warn Threshold | Fail Threshold | Badge (Healthy) |
|---|---|---|---|
/ (root) |
> 70% | > 85% | PASS |
/storage/log |
> 70% | > 85% | PASS |
/storage/db |
> 70% | > 85% | PASS |
/storage/seat |
> 70% | > 85% | PASS |
| All others | > 75% | > 90% | PASS |
# Check /storage/log usage
du -sh /storage/log/* 2>/dev/null | sort -rh | head -15
Expected Output:
2.1G /storage/log/vmware/vpxd
812M /storage/log/vmware/vsphere-ui
543M /storage/log/vmware/sso
322M /storage/log/vmware/eam
210M /storage/log/vmware/rhttpproxy
...
find /storage/log -type f -size +100M -exec ls -lh {} \; 2>/dev/null
# Check /storage/db usage
du -sh /storage/db/*
Expected Output:
8.2G /storage/db/vpostgres
# Check PostgreSQL WAL files
du -sh /storage/db/vpostgres/pg_wal/
| Condition | Badge |
|---|---|
| All partitions < 70% | PASS |
| Any partition 70 - 85% | WARN |
| Any partition > 85% | FAIL |
find /storage/log -name "*.log" -mtime +7 -deletelogrotate -f /etc/logrotate.confrm -rf /storage/log/vmware/vpxd/vpxd-*.log.[0-9]*/opt/vmware/vpostgres/current/bin/pg_archivecleanup /storage/db/vpostgres/pg_wal/ <oldest_needed_wal>/usr/lib/applmgmt/support/scripts/expand_disk.sh
curl -sk -X GET \
"https://${VC_FQDN}/api/appliance/health/load" \
-H "vmware-api-session-id: ${VC_TOKEN}"
# Current CPU load
uptime
Expected Output:
14:22:33 up 3 days, 4:07, 1 user, load average: 1.23, 1.45, 1.32
# Top CPU consumers
top -bn1 | head -20
# CPU info
nproc
cat /proc/cpuinfo | grep "model name" | head -1
| Condition | Badge |
|---|---|
| Load average < number of CPUs (< 70% per core) | PASS |
| Load average 70-85% of CPU count | WARN |
| Load average > 85% of CPU count sustained | FAIL |
curl -sk -X GET \
"https://${VC_FQDN}/api/appliance/health/mem" \
-H "vmware-api-session-id: ${VC_TOKEN}"
free -m
Expected Output (Healthy):
total used free shared buff/cache available
Mem: 24576 14234 2180 312 8162 9876
Swap: 3071 32 3039
# Memory usage percentage
free -m | awk 'NR==2{printf "Memory Usage: %.1f%%\n", $3*100/$2}'
| Condition | Badge |
|---|---|
| Memory usage < 80% | PASS |
| Memory usage 80 - 90% | WARN |
| Memory usage > 90% | FAIL |
# Swap usage
swapon --show
Expected Output (Healthy):
NAME TYPE SIZE USED PRIO
/dev/sda2 partition 3G 32M -2
# Detailed swap info
cat /proc/swaps
vmstat 1 5
| Condition | Badge |
|---|---|
| Swap usage < 5% | PASS |
| Swap usage 5 - 25% | WARN |
| Swap usage > 25% | FAIL |
top -bn1 -o %MEM | head -20service-control --stop vmware-vpxd && service-control --start vmware-vpxdps aux | grep java | grep -v grep/var/log/vmware/vpxd/vpxd.log for repeated task patterns
# List SSO domains
/opt/vmware/bin/sso-config.sh -get_identity_sources
Expected Output:
Identity Source: vsphere.local
Type: System Domain
Default: true
Identity Source: lab.local
Type: ActiveDirectory
Default: false
/opt/vmware/bin/sso-config.sh -get_default_identity_sources
curl -sk -X GET \
"https://${VC_FQDN}/api/vcenter/identity/providers" \
-H "vmware-api-session-id: ${VC_TOKEN}" | jq .
# Test SSO login via API session creation
curl -sk -w "\nHTTP_CODE: %{http_code}\n" -X POST \
"https://${VC_FQDN}/api/session" \
-u "administrator@vsphere.local:${VC_PASS}"
Expected Output (Healthy):
"b1a2c3d4-e5f6-7890-abcd-ef1234567890"
HTTP_CODE: 201
| Condition | Badge |
|---|---|
| HTTP 201, session token returned | PASS |
| HTTP 401 (credentials issue) | WARN |
| HTTP 500 or connection timeout | FAIL |
# Test LDAP bind to AD (if AD identity source configured)
ldapsearch -h dc01.lab.local -p 389 \
-D "CN=svc_vcenter,OU=Service Accounts,DC=lab,DC=local" \
-w 'ServiceAccountPassword' \
-b "DC=lab,DC=local" \
-s base "(objectClass=*)" 2>&1 | head -5
Expected Output (Healthy):
# extended LDIF
#
# LDAPv3
# base <DC=lab,DC=local> with scope baseObject
# filter: (objectClass=*)
# Check vmdir service status
systemctl status vmware-stsd
/opt/vmware/bin/ldapsearch -h localhost -p 389 \
-b "" -s base "(objectClass=*)" namingContexts 2>/dev/null
# Verify existing session token is valid
curl -sk -X GET \
"https://${VC_FQDN}/api/session" \
-H "vmware-api-session-id: ${VC_TOKEN}" | jq .
Expected Output (Valid Token):
{
"user": "VSPHERE.LOCAL\\Administrator",
"created_time": "2026-03-26T10:15:22.000Z"
}
| Condition | Badge |
|---|---|
| Token valid, user details returned | PASS |
| Token expired (HTTP 401) | WARN |
| SSO service unreachable (HTTP 503) | FAIL |
service-control --stop vmware-stsd && service-control --start vmware-stsdtail -100 /var/log/vmware/sso/ssoAdminServer.log/usr/lib/vmware-vmdir/bin/dir-cli password reset --account administrator --new <new_pass>curl -sk -X GET \
"https://${VC_FQDN}/api/vcenter/namespace-management/software/registries" \
-H "vmware-api-session-id: ${VC_TOKEN}" 2>/dev/null | jq .
Navigate to: https://$VC_FQDN/mob/?moid=ExtensionManager&doPath=extensionList
Connect-VIServer -Server $VC_FQDN -User $VC_USER -Password $VC_PASS
$em = Get-View ExtensionManager
$em.ExtensionList | Select-Object Key, Description, Company, Version | Format-Table -AutoSize
Expected Output:
Key Description Company Version
--- ----------- ------- -------
com.vmware.vim.sms Storage Monitoring VMware, Inc. 8.0.3
com.vmware.vcIntegrity vSphere Lifecycle Mgr VMware, Inc. 8.0.3
com.vmware.vim.eam ESX Agent Manager VMware, Inc. 8.0.3
com.vmware.rbd RBD VMware, Inc. 8.0.3
com.vmware.h4.vsphere.client vSphere Client VMware, Inc. 8.0.3
com.vmware.nsx.management.nsxt NSX VMware, Inc. 4.2.1
...
# Check plugin health via REST
curl -sk -X GET \
"https://${VC_FQDN}/ui/extensionmanager/extensionlist" \
-H "vmware-api-session-id: ${VC_TOKEN}" 2>/dev/null | jq '.[].key'
# Check vsphere-ui logs for plugin errors
grep -i "plugin\|extension" /var/log/vmware/vsphere-ui/logs/vsphere_client_virgo.log | \
grep -i "error\|fail\|exception" | tail -20
| Condition | Badge |
|---|---|
| All expected plugins registered and loading | PASS |
| Some plugins failing to load but not critical | WARN |
| Core plugins missing or all failing | FAIL |
# Check for plugins whose server URL is unreachable
curl -sk -X GET \
"https://${VC_FQDN}/mob/?moid=ExtensionManager" \
-H "vmware-api-session-id: ${VC_TOKEN}" 2>/dev/null
https://$VC_FQDN/mob/?moid=ExtensionManagerUnregisterExtensioncom.vendor.stale.plugin)Invoke Method$em = Get-View ExtensionManager
$em.UnregisterExtension("com.vendor.stale.plugin")
service-control --stop vsphere-ui && service-control --start vsphere-uirm -rf /etc/vmware/vsphere-ui/cm-init-*The Lookup Service is the service registry for all vSphere components. Since vCenter 7.0+, the Platform Services Controller (PSC) is embedded.
service-control --status vmware-lookupsvc
Expected Output:
VMware Lookup Service:Status: RUNNING
# Use lstool to list registrations
python /usr/lib/vmidentity/tools/scripts/lstool.py list \
--url "https://localhost/lookupservice/sdk" \
--no-check-cert 2>/dev/null | head -60
Expected Output (Healthy):
=== Service Registration ===
Service ID: vcenterserver
Owner ID: vcenter01.lab.local@vsphere.local
Service Type: vcenterserver
Endpoints:
URL: https://vcenter01.lab.local/sdk
Protocol: vmomi
Service ID: cs.identity
Owner ID: vcenter01.lab.local@vsphere.local
Service Type: cs.identity
Endpoints:
URL: https://vcenter01.lab.local/sts/STSService/vsphere.local
Protocol: wsTrust
...
# Check STS service status
service-control --status vmware-stsd
Expected Output:
VMware Security Token Service:Status: RUNNING
# Verify STS can issue tokens by creating an API session
curl -sk -X POST \
"https://${VC_FQDN}/api/session" \
-u "${VC_USER}:${VC_PASS}" \
-w "\nHTTP Status: %{http_code}\n"
| Condition | Badge |
|---|---|
| STS running, tokens issued successfully | PASS |
| STS running but slow token issuance (> 5s) | WARN |
| STS stopped or tokens not issued | FAIL |
python /usr/lib/vmidentity/tools/scripts/lstool.py list \
--url "https://localhost/lookupservice/sdk" \
--no-check-cert 2>/dev/null | grep "Service Type" | sort -u
Expected Service Types:
Service Type: cs.authorization
Service Type: cs.identity
Service Type: cs.license
Service Type: cs.lookup
Service Type: cs.privilege
Service Type: sso:admin
Service Type: sso:groupcheck
Service Type: sso:sts
Service Type: vcenterserver
Service Type: cs.inventory
Service Type: cs.envoy
| Condition | Badge |
|---|---|
| All expected service types registered | PASS |
| Some non-critical registrations missing | WARN |
| Core registrations (sts, identity, vcenterserver) missing | FAIL |
service-control --stop vmware-lookupsvc && service-control --start vmware-lookupsvc/usr/lib/vmware-lookupsvc/tools/ls_update_certs.py --url https://localhost/lookupservice/sdk --fingerprint <thumbprint>/var/log/vmware/lookupsvc/lookupsvc.log/usr/lib/vmware-lookupsvc/tools/ls_recover.py
curl -sk -X GET \
"https://${VC_FQDN}/api/vcenter/datacenter" \
-H "vmware-api-session-id: ${VC_TOKEN}" | jq 'length'
curl -sk -X GET \
"https://${VC_FQDN}/api/vcenter/datacenter" \
-H "vmware-api-session-id: ${VC_TOKEN}" | jq '.[] | {name, datacenter}'
Expected Output:
{
"name": "DC-Site-A",
"datacenter": "datacenter-1"
}
{
"name": "DC-Site-B",
"datacenter": "datacenter-2"
}
curl -sk -X GET \
"https://${VC_FQDN}/api/vcenter/cluster" \
-H "vmware-api-session-id: ${VC_TOKEN}" | jq '.[] | {name, cluster, ha_enabled, drs_enabled}'
Expected Output:
{
"name": "Management-Cluster",
"cluster": "domain-c8",
"ha_enabled": true,
"drs_enabled": true
}
{
"name": "Workload-Cluster-01",
"cluster": "domain-c44",
"ha_enabled": true,
"drs_enabled": true
}
curl -sk -X GET \
"https://${VC_FQDN}/api/vcenter/host" \
-H "vmware-api-session-id: ${VC_TOKEN}" | jq '.[] | {name, host, connection_state, power_state}'
Expected Output:
{
"name": "esxi01.lab.local",
"host": "host-10",
"connection_state": "CONNECTED",
"power_state": "POWERED_ON"
}
{
"name": "esxi02.lab.local",
"host": "host-11",
"connection_state": "CONNECTED",
"power_state": "POWERED_ON"
}
# Total VM count
curl -sk -X GET \
"https://${VC_FQDN}/api/vcenter/vm" \
-H "vmware-api-session-id: ${VC_TOKEN}" | jq 'length'
# Powered-on VMs
curl -sk -X GET \
"https://${VC_FQDN}/api/vcenter/vm?power_states=POWERED_ON" \
-H "vmware-api-session-id: ${VC_TOKEN}" | jq 'length'
echo "=== vCenter Inventory Summary ==="
DC=$(curl -sk "https://${VC_FQDN}/api/vcenter/datacenter" -H "vmware-api-session-id: ${VC_TOKEN}" | jq 'length')
CL=$(curl -sk "https://${VC_FQDN}/api/vcenter/cluster" -H "vmware-api-session-id: ${VC_TOKEN}" | jq 'length')
HO=$(curl -sk "https://${VC_FQDN}/api/vcenter/host" -H "vmware-api-session-id: ${VC_TOKEN}" | jq 'length')
VM=$(curl -sk "https://${VC_FQDN}/api/vcenter/vm" -H "vmware-api-session-id: ${VC_TOKEN}" | jq 'length')
VMon=$(curl -sk "https://${VC_FQDN}/api/vcenter/vm?power_states=POWERED_ON" -H "vmware-api-session-id: ${VC_TOKEN}" | jq 'length')
DS=$(curl -sk "https://${VC_FQDN}/api/vcenter/datastore" -H "vmware-api-session-id: ${VC_TOKEN}" | jq 'length')
NET=$(curl -sk "https://${VC_FQDN}/api/vcenter/network" -H "vmware-api-session-id: ${VC_TOKEN}" | jq 'length')
echo "Datacenters: ${DC}"
echo "Clusters: ${CL}"
echo "Hosts: ${HO}"
echo "Total VMs: ${VM}"
echo "Powered-On: ${VMon}"
echo "Datastores: ${DS}"
echo "Networks: ${NET}"
curl -sk -X GET \
"https://${VC_FQDN}/api/vcenter/host?connection_states=DISCONNECTED,NOT_RESPONDING" \
-H "vmware-api-session-id: ${VC_TOKEN}" | jq '.[] | {name, connection_state}'
Expected Output (Healthy): Empty array []
curl -sk -X GET \
"https://${VC_FQDN}/api/vcenter/vm?power_states=POWERED_OFF" \
-H "vmware-api-session-id: ${VC_TOKEN}" | jq '.[] | {name, vm, power_state}'
| Condition | Badge |
|---|---|
| All hosts CONNECTED, inventory counts match expected | PASS |
| Some hosts in maintenance mode (planned) | WARN |
| Disconnected/NOT_RESPONDING hosts found | FAIL |
curl -sk -X POST "https://${VC_FQDN}/api/vcenter/host/host-XX?action=connect" -H "vmware-api-session-id: ${VC_TOKEN}"curl -sk -X GET \
"https://${VC_FQDN}/api/appliance/logging/forwarding" \
-H "vmware-api-session-id: ${VC_TOKEN}" | jq .
Expected Output (Configured):
[
{
"hostname": "syslog.lab.local",
"port": 514,
"protocol": "UDP"
},
{
"hostname": "loginsight.lab.local",
"port": 9000,
"protocol": "TCP"
}
]
curl -sk -X POST \
"https://${VC_FQDN}/api/appliance/logging/forwarding?action=test" \
-H "vmware-api-session-id: ${VC_TOKEN}" \
-H "Content-Type: application/json" \
-d '{"send_test_message": true}' | jq .
Expected Output:
[
{
"hostname": "syslog.lab.local",
"state": "UP",
"message": ""
}
]
curl -sk -X PUT \
"https://${VC_FQDN}/api/appliance/logging/forwarding" \
-H "vmware-api-session-id: ${VC_TOKEN}" \
-H "Content-Type: application/json" \
-d '[{"hostname": "syslog.lab.local", "port": 514, "protocol": "UDP"}]'
| Condition | Badge |
|---|---|
| Syslog configured and test passes (state=UP) | PASS |
| Syslog configured but test fails | WARN |
| Syslog not configured | FAIL |
# Check logrotate status
cat /etc/logrotate.conf | head -20
# Check vCenter-specific rotation configs
ls -la /etc/logrotate.d/
logrotate -f /etc/logrotate.conf
curl -sk -X POST \
"https://${VC_FQDN}/api/appliance/support-bundle" \
-H "vmware-api-session-id: ${VC_TOKEN}" \
-H "Content-Type: application/json" | jq .
# Generate support bundle
/usr/lib/vmware-vpxd/support/vcdb_report.sh
# Generate full log bundle
vc-support-bundle
/storage/log before generating. Target directory: /var/log/vmware/support/
Time synchronization is critical for vCenter operations, certificate validation, SSO token integrity, and log correlation.
curl -sk -X GET \
"https://${VC_FQDN}/api/appliance/ntp" \
-H "vmware-api-session-id: ${VC_TOKEN}" | jq .
Expected Output:
[
"ntp1.lab.local",
"ntp2.lab.local"
]
curl -sk -X GET \
"https://${VC_FQDN}/api/appliance/timesync" \
-H "vmware-api-session-id: ${VC_TOKEN}"
Expected Output:
"NTP"
curl -sk -X PUT \
"https://${VC_FQDN}/api/appliance/ntp" \
-H "vmware-api-session-id: ${VC_TOKEN}" \
-H "Content-Type: application/json" \
-d '["ntp1.lab.local", "ntp2.lab.local"]'
# Check NTP daemon status
systemctl status systemd-timesyncd
# Check NTP synchronization
timedatectl status
Expected Output (Healthy):
Local time: Thu 2026-03-26 14:22:33 UTC
Universal time: Thu 2026-03-26 14:22:33 UTC
RTC time: Thu 2026-03-26 14:22:33
Time zone: UTC (UTC, +0000)
System clock synchronized: yes
NTP service: active
RTC in local TZ: no
# Check NTP peers
ntpq -p 2>/dev/null || chronyc sources 2>/dev/null
Expected Output:
MS Name/IP address Stratum Poll Reach LastRx Last sample
===============================================================================
^* ntp1.lab.local 2 6 377 34 +0.234ms[+0.312ms] +/- 12ms
^+ ntp2.lab.local 2 6 377 35 +1.023ms[+1.101ms] +/- 15ms
# Check clock offset
chronyc tracking 2>/dev/null | grep "System time\|Last offset"
Expected Output:
System time : 0.000000234 seconds fast of NTP time
Last offset : +0.000000312 seconds
| Condition | Badge |
|---|---|
| NTP configured, synced, drift < 1 second | PASS |
| NTP configured but drift 1 - 5 seconds | WARN |
| NTP not configured or drift > 5 seconds | FAIL |
curl -sk -X PUT "https://${VC_FQDN}/api/appliance/ntp" -H "vmware-api-session-id: ${VC_TOKEN}" -H "Content-Type: application/json" -d '["pool.ntp.org"]'systemctl restart systemd-timesyncdcurl -sk -X PUT "https://${VC_FQDN}/api/appliance/timesync" -H "vmware-api-session-id: ${VC_TOKEN}" -H "Content-Type: application/json" -d '"NTP"'| Port | Protocol | Service | Source | Description |
|---|---|---|---|---|
| 22 | TCP | SSH | Admin workstations | Appliance shell access (should be disabled in production) |
| 80 | TCP | HTTP | All clients | Redirects to HTTPS (443) |
| 443 | TCP | HTTPS | All clients | vSphere Client, REST API, SDK, MOB |
| 389 | TCP | LDAP | PSC components | VMware Directory Service (vmdir) |
| 636 | TCP | LDAPS | PSC components | VMware Directory Service (secure) |
| 902 | TCP/UDP | VMware Auth | ESXi hosts | VM console proxy, host management |
| 1514 | TCP | Syslog (TLS) | ESXi hosts | Syslog collection from hosts |
| 2012 | TCP | Control Interface | Internal | vCenter control interface |
| 2020 | TCP | Auth Framework | Internal | Authentication framework |
| 5480 | TCP | VAMI | Admin workstations | Appliance Management Interface |
| 6501 | TCP | Auto Deploy | ESXi hosts | Auto Deploy service |
| 6502 | TCP | Auto Deploy | ESXi hosts | Auto Deploy reverse proxy |
| 7080 | TCP | Secure Token | Internal | VMware STS (HTTP) |
| 7444 | TCP | Secure Token | Internal | VMware STS (HTTPS) |
| 8084 | TCP | Update Manager | ESXi hosts | vSphere Update Manager |
| 9084 | TCP | Update Manager | ESXi hosts | Update Manager web client |
| 9087 | TCP | Analytics | Internal | Analytics service |
| 9123 | TCP | Migration Assistant | External | vCenter migration |
| Port | Protocol | Destination | Description |
|---|---|---|---|
| 53 | TCP/UDP | DNS servers | DNS resolution |
| 88 | TCP/UDP | AD/KDC | Kerberos authentication |
| 123 | UDP | NTP servers | Time synchronization |
| 389 | TCP | AD/LDAP | Identity source queries |
| 443 | TCP | ESXi hosts | Host management via HTTPS |
| 443 | TCP | NSX Manager | NSX integration |
| 443 | TCP | SDDC Manager | VCF lifecycle management |
| 514 | UDP | Syslog server | Syslog forwarding |
| 902 | TCP | ESXi hosts | VM console, host management |
# Check listening ports on vCenter appliance
ss -tlnp | sort -t: -k2 -n
# Check specific port connectivity
curl -sk -o /dev/null -w "%{http_code}" https://${VC_FQDN}:443
curl -sk -o /dev/null -w "%{http_code}" https://${VC_FQDN}:5480
# Check outbound connectivity
nc -zv ntp1.lab.local 123 2>&1
nc -zv dc01.lab.local 389 2>&1
nc -zv esxi01.lab.local 443 2>&1
Symptoms: vSphere Client inaccessible, service-control --status vmware-vpxd shows STOPPED.
Diagnostic Steps:
# Check VPXD logs for crash reason
tail -200 /var/log/vmware/vpxd/vpxd.log | grep -i "error\|fatal\|abort"
# Check for core dumps
ls -la /var/core/
# Check if database is reachable
systemctl status vmware-vpostgres
# Check disk space (VPXD won't start if disk full)
df -h /storage/log /storage/db /
# Check for port conflicts
ss -tlnp | grep ":443\b"
service-control --start vmware-vpostgres, then start VPXDservice-control --stop --all && service-control --start --all
Symptoms: VPXD errors referencing VCDB, inventory inconsistencies, SQL errors in logs.
# Check PostgreSQL logs
tail -100 /var/log/vmware/vpostgres/postgresql*.log
# Run database integrity check
/opt/vmware/vpostgres/current/bin/pg_isready -h localhost -p 5432
# Check for corruption indicators
/opt/vmware/vpostgres/current/bin/psql -U postgres -d VCDB -c \
"SELECT datname, datallowconn FROM pg_database;"
VACUUM FULL ANALYZE; to reclaim and rebuildREINDEX DATABASE VCDB;/opt/vmware/vpostgres/current/bin/pg_restoreSymptoms: SSO login failures, "certificate expired" errors in browser, service communication failures.
# Quick check all certs
for store in MACHINE_SSL_CERT machine vsphere-webclient vpxd vpxd-extension; do
echo "=== ${store} ==="
/usr/lib/vmware-vmafd/bin/vecs-cli entry getcert --store ${store} \
--alias $(/usr/lib/vmware-vmafd/bin/vecs-cli entry list --store ${store} 2>/dev/null | grep Alias | awk '{print $3}' | head -1) 2>/dev/null | \
openssl x509 -noout -dates 2>/dev/null
done
# Check STS cert specifically
python /usr/lib/vmware-vmca/share/config/checksts.py 2>/dev/null
/usr/lib/vmware-vmca/bin/certificate-manager option 3 (VMCA) or 1 (custom)service-control --stop --all && service-control --start --allSymptoms: Cannot log in as administrator@vsphere.local, "invalid credentials" or "account locked."
# Check lockout policy
/opt/vmware/bin/sso-config.sh -get_lockout_policy
# Check failed login attempts
grep -i "login\|auth\|lock" /var/log/vmware/sso/ssoAdminServer.log | tail -30
/usr/lib/vmware-vmdir/bin/dir-cli account unlock --account administrator --password <current_password>/usr/lib/vmware-vmdir/bin/dir-cli password reset --account administrator --new <new_password>/usr/lib/vmware-vmdir/bin/vdcadmintoolSymptoms: vSphere Client slow, API timeouts, tasks taking excessively long.
# Identify bottleneck
echo "=== CPU ===" && uptime
echo "=== Memory ===" && free -m
echo "=== Swap ===" && swapon --show
echo "=== Disk I/O ===" && iostat -x 1 3 2>/dev/null || echo "iostat not available"
echo "=== Top Processes ===" && top -bn1 | head -15
echo "=== DB Connections ===" && /opt/vmware/vpostgres/current/bin/psql -U postgres -d VCDB -c \
"SELECT count(*) FROM pg_stat_activity;"
| Command | Description |
|---|---|
service-control --status --all |
Show status of all vCenter services |
service-control --status vmware-vpxd |
Show VPXD service status |
service-control --start --all |
Start all vCenter services |
service-control --stop --all |
Stop all vCenter services |
service-control --start <service> |
Start a specific service |
service-control --stop <service> |
Stop a specific service |
vmon-cli --list |
List all vMon-managed services |
vmon-cli --status <service> |
Check specific vMon service status |
vmon-cli --start <service> |
Start a vMon service |
vmon-cli --stop <service> |
Stop a vMon service |
vmon-cli --restart <service> |
Restart a vMon service |
| Command | Description |
|---|---|
uptime |
System uptime and load average |
free -m |
Memory usage in MB |
df -h |
Disk partition usage |
top -bn1 |
Process listing (batch mode, single iteration) |
timedatectl status |
Time synchronization status |
hostnamectl |
Hostname and OS information |
cat /etc/applmgmt/appliance/update.conf |
Appliance version info |
vpxd -v |
VPXD version |
cat /etc/issue |
Photon OS version |
| Command | Description |
|---|---|
/opt/vmware/vpostgres/current/bin/psql -U postgres -d VCDB |
Connect to VCDB |
systemctl status vmware-vpostgres |
PostgreSQL service status |
VACUUM ANALYZE; (in psql) |
Standard vacuum with analyze |
VACUUM FULL ANALYZE; (in psql) |
Full vacuum (blocking) |
SELECT pg_size_pretty(pg_database_size('VCDB')); |
VCDB size |
| Command | Description |
|---|---|
/usr/lib/vmware-vmca/bin/certificate-manager |
Certificate Manager (interactive) |
/usr/lib/vmware-vmafd/bin/vecs-cli store list |
List VECS stores |
/usr/lib/vmware-vmafd/bin/vecs-cli entry list --store <store> |
List entries in a VECS store |
/usr/lib/vmware-vmafd/bin/vecs-cli entry getcert --store <store> --alias <alias> |
Get certificate from store |
/usr/lib/vmware-vmafd/bin/dir-cli trustedcert list |
List trusted root certificates |
python /usr/lib/vmware-vmca/share/config/checksts.py |
Check STS certificate |
| Command | Description |
|---|---|
/opt/vmware/bin/sso-config.sh -get_identity_sources |
List identity sources |
/opt/vmware/bin/sso-config.sh -get_default_identity_sources |
Get default identity source |
/opt/vmware/bin/sso-config.sh -get_lockout_policy |
SSO lockout policy |
/usr/lib/vmware-vmdir/bin/dir-cli password reset --account <user> --new <pass> |
Reset SSO password |
/usr/lib/vmware-vmdir/bin/dir-cli account unlock --account <user> |
Unlock SSO account |
| Command | Description |
|---|---|
python /usr/lib/vmidentity/tools/scripts/lstool.py list --url https://localhost/lookupservice/sdk --no-check-cert |
List all registrations |
| Command | Description |
|---|---|
tail -f /var/log/vmware/vpxd/vpxd.log |
Follow VPXD log |
tail -f /var/log/vmware/sso/ssoAdminServer.log |
Follow SSO log |
tail -f /var/log/vmware/lookupsvc/lookupsvc.log |
Follow Lookup Service log |
tail -f /var/log/vmware/vsphere-ui/logs/vsphere_client_virgo.log |
Follow vSphere Client log |
tail -f /var/log/vmware/vpostgres/postgresql*.log |
Follow PostgreSQL log |
vc-support-bundle |
Generate full support bundle |
| Command | Description |
|---|---|
/usr/lib/vmware-vcha/vcha-cli cluster-get-state |
VCHA cluster state |
| Command | Description |
|---|---|
ss -tlnp |
List all listening TCP ports |
ip addr show |
Show network interfaces |
ip route show |
Show routing table |
cat /etc/resolv.conf |
DNS configuration |
nslookup ${VC_FQDN} |
DNS resolution test |
| Method | Endpoint | Description |
|---|---|---|
| POST | /api/session |
Create session (Basic Auth) -- returns session token |
| GET | /api/session |
Get current session info |
| DELETE | /api/session |
Destroy session (logout) |
| Method | Endpoint | Description |
|---|---|---|
| GET | /api/appliance/health/system |
Overall system health |
| GET | /api/appliance/health/mem |
Memory health |
| GET | /api/appliance/health/storage |
Storage health |
| GET | /api/appliance/health/database-storage |
Database storage health |
| GET | /api/appliance/health/load |
CPU load health |
| GET | /api/appliance/health/swap |
Swap health |
| GET | /api/appliance/health/softwarepackages |
Software package health |
| Method | Endpoint | Description |
|---|---|---|
| GET | /api/appliance/ntp |
Get NTP servers |
| PUT | /api/appliance/ntp |
Set NTP servers |
| GET | /api/appliance/timesync |
Get time sync mode |
| PUT | /api/appliance/timesync |
Set time sync mode (NTP/HOST) |
| GET | /api/appliance/access/ssh |
Get SSH access status |
| PUT | /api/appliance/access/ssh |
Enable/disable SSH |
| GET | /api/appliance/networking |
Get network configuration |
| GET | /api/appliance/networking/dns/servers |
Get DNS servers |
| GET | /api/appliance/networking/dns/hostname |
Get hostname |
| Method | Endpoint | Description |
|---|---|---|
| GET | /api/appliance/logging/forwarding |
Get syslog forwarding config |
| PUT | /api/appliance/logging/forwarding |
Set syslog forwarding config |
| POST | /api/appliance/logging/forwarding?action=test |
Test syslog forwarding |
| Method | Endpoint | Description |
|---|---|---|
| GET | /api/vcenter/datacenter |
List datacenters |
| GET | /api/vcenter/cluster |
List clusters |
| GET | /api/vcenter/host |
List hosts |
| GET | /api/vcenter/vm |
List VMs |
| GET | /api/vcenter/datastore |
List datastores |
| GET | /api/vcenter/network |
List networks |
| GET | /api/vcenter/folder |
List folders |
| GET | /api/vcenter/resource-pool |
List resource pools |
| Method | Endpoint | Description |
|---|---|---|
| GET | /api/vcenter/vcha/cluster/mode |
Get VCHA mode |
| POST | /api/vcenter/vcha/cluster?action=get |
Get full VCHA cluster status |
| POST | /api/vcenter/vcha/cluster?action=failover |
Initiate VCHA failover |
| Method | Endpoint | Description |
|---|---|---|
| GET | /api/vcenter/certificate-management/vcenter/tls |
Get TLS certificate info |
| GET | /api/vcenter/certificate-management/vcenter/trusted-root-chains |
List trusted root chains |
| Method | Endpoint | Description |
|---|---|---|
| GET | /api/vcenter/identity/providers |
List identity providers |
# GET request pattern
curl -sk -X GET \
"https://${VC_FQDN}/api/<endpoint>" \
-H "vmware-api-session-id: ${VC_TOKEN}" | jq .
# POST request pattern
curl -sk -X POST \
"https://${VC_FQDN}/api/<endpoint>" \
-H "vmware-api-session-id: ${VC_TOKEN}" \
-H "Content-Type: application/json" \
-d '{ "key": "value" }' | jq .
# PUT request pattern
curl -sk -X PUT \
"https://${VC_FQDN}/api/<endpoint>" \
-H "vmware-api-session-id: ${VC_TOKEN}" \
-H "Content-Type: application/json" \
-d '{ "key": "value" }'
# Create session at start
export VC_TOKEN=$(curl -sk -X POST \
"https://${VC_FQDN}/api/session" \
-u "${VC_USER}:${VC_PASS}" | tr -d '"')
# ... run all health checks ...
# Destroy session at end
curl -sk -X DELETE \
"https://${VC_FQDN}/api/session" \
-H "vmware-api-session-id: ${VC_TOKEN}"
unset VC_TOKEN VC_PASS
(c) 2026 Virtual Control LLC. All rights reserved.