It has been a while since I have worked with vMA. I used it fairly often when I was managing a vSphere environment. I am teaching the vSphere Optimize and Scale class during the winter semester so I spun up the vMA in the homelab to re-introduce myself to it. Using the vMA was part of the VCAP-DCA exam blueprint, but it looks like it has been removed from new VCAP-DCV Deployment exam blueprint (that makes me sad as it is a useful tool).
The vSphere Management Assistant (vMA) is a SUSE Linux virtual appliance which is packaged as an OVF. The vMA includes the vSphere command-line interface (esxcli and vicfg) and the vSphere Perl SDK. The vMA allows you to remotely execute vCLI/esxcli and use resxtop without having to enable SSH on ESXi host.
The vMA has an authentication component, vi-fastpass, which provides a credential store to cache host credentials to allow commands to be executed against target hosts without requiring authentication for each command. The vi-admin user has administrative privileges to add/remove/update servers to the vi-fastpass and the vi-user has read-only privileges to use the vi-fastpass to connect to hosts.
Hosts are added by the vi-admin user using the
vifp addserver command. Once the servers have been added to vi-fastpass you can connect to the host using vifptarget. Using
vifp listservers will provide a list of the hosts currently configured for vi-fastpass.
As of vSphere 6.0 esxcli/vCLI checks if a trust relationship exists between the machine running the command and the host the command is being run against. To create this trust relationship between the vMA and the ESXi or vCenter Servers registered in vi-fastpass the host’s thumbprint is added to the credential store using
/usr/lib/vmware-vcli/apps/general/credstore_admin.pl add -s [server] -t [thumbprint]. Once the thumbprint is added to the Credential Store this trust relationship will exist between the vMA and the vi-fastpass configured hosts. When a target server is set (
vifptarget -s [server]) the esxcli or vCLI commands can be executed from the vMA without requiring credentials.