How to enable CIM Server (WBEM service) in ESXi 8

Written by - 0 comments

Published on - Listed in VMware Virtualization


To be able to monitor the underlying hardware of an ESXi server, the most common method is to use the integrated CIM Server. The CIM Server reads the current operational or health status of each hardware element and represents this in the output.

But since ESXi version 6.5 the CIM Server is stopped and disabled by default. This article shows how to correctly enable and start the CIM Server (aka WBEM service) in ESXi 8.

The official documentation lacks information

The official documentation from VMware is Knowledge Base Article #1025757. According to this KB article, it's enough to start the CIM Server service in the vSphere UI. 

However when trying to start the sfcbd-watchdog (CIM Server) service, the status switches back to "Stopped" after a few seconds.

sfcbd-watchdog (CIM Server) service stopped

The reason for this is that the service itself is administratively disabled (and unable to be started) by default. This his now shown in the UI though and can only be enabled using the esxcli command, directly on the ESXi server.

Enabling CIM Server on the command line using esxcli

To be able to execute commands directly on the ESXi server(s), we first need to be able to connect to the ESXi server using SSH. 

Logged in on the vSphere User Interface (using the browser and the IP address of the ESXi server), click on "Manage" (under the Host entry) in the left-side navigation. On the right side, click on the tab "Services". Scroll down the list of services until you find the "TSM-SSH" service - which is by default stopped.

Select the TSM-SSH service and click on Start above. 

Now use your terminal (if you're on Linux or macOS) or a SSH client, such as PuTTY (if you're on Windows) to connect to the IP of the ESXi server. Use the "root" user with the known password (same as you've used to log in to the UI).

ck@desktop ~ $ ssh 192.168.15.115 -l root
The authenticity of host '192.168.15.115 (192.168.15.115)' can't be established.
ECDSA key fingerprint is SHA256:FVX5WJiyiTMzXO+2irzSxItA23n9f65jKnZW66V5L9M.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.15.115' (ECDSA) to the list of known hosts.
Password:
The time and date of this login have been sent to the system logs.

WARNING:
   All commands run on the ESXi shell are logged and may be included in
   support bundles. Do not provide passwords directly on the command line.
   Most tools can prompt for secrets or accept them from standard input.

VMware offers supported, powerful system administration tools.  Please
see www.vmware.com/go/sysadmintools for details.

The ESXi Shell can be disabled by an administrative user. See the
vSphere Security documentation for more information.
[root@localhost:~] 

A manual start of the sfcbd-watchdog service confirms the same behaviour as in the UI:

[root@localhost:~] /etc/init.d/sfcbd-watchdog start
sfcbd-init[134838]: args ('start')
sfcbd-init[134838]: Getting Exclusive access, please wait...
sfcbd-init[134838]: Exclusive access granted.
sfcbd-init[134838]: Request to start sfcbd-watchdog, pid 134838
sfcbd-init[134838]: sfcbd not started, administratively disabled.

To definitely enable this service, we first need to enable the "wbem" service using esxcli:

[root@localhost:~] esxcli system wbem set -enable true

To verify the current settings of that service we can show the details:

[root@localhost:~] esxcli system wbem get
   Enabled: true
   WS-Management Service: true
   Enable HTTPS: true
   Authorization Model: password
   Port: 5989
   HTTP Procs: 2
   HTTPS Procs: 4
   Provider Procs: 16
   Keepalive Timeout: 1
   Keepalive Max Requests: 10
   Provider Sample Interval: 30
   Provider Timeout Interval: 120
   HTTP Max Content Length: 1048576
   Max Message Length: 40000000
   Thread Stack Size: 1048576
   Provider Resource Pool Override:
   SSL Cipher List: ECDHE+AESGCM:ECDHE+AES
   Threadpool Size: 5
   Readonly: false
   Log Level: warning
   Service Location Protocol PID: 0
   WS-Management PID: 134939
   CIM Object Manager PID: 134967
   Enabled SSL Protocols:
   Enabled System SSL Protocols: tlsv1.2
   Enabled Running SSL Protocols: tlsv1.2

Enabled is now set to true.

Communication with CIM Server

Enabling the "wbem" service should also have auto-started the sfcbd-watchdog service:

[root@localhost:~] /etc/init.d/sfcbd-watchdog status
sfcbd-init[134989]: args ('status')
sfcbd-init[134989]: Getting Exclusive access, please wait...
sfcbd-init[134989]: Exclusive access granted.
sfcbd is running

If the service was not started, you can now either start the service in the vSphere UI or on the command line:

[root@localhost:~] /etc/init.d/sfcbd-watchdog start

You should now be able to communicate with the CIM server using tcp/5989:

ck@desktop ~ $ telnet 192.168.15.115 5989
Trying 192.168.15.115...
Connected to 192.168.15.115.
Escape character is '^]'.
^]
telnet> quit
Connection closed.

This now also allows the check_esxi_hardware monitoring plugin to read the hardware status from the ESXi server.

For security reasons, don't forget to disable SSH service once the CIM Server was enabled.


Add a comment

Show form to leave a comment

Comments (newest first)

No comments yet.