vSphere 5.5 Install Pt. 13: Install Inventory Svc

10-12-2013 11-53-39 AMThe vCenter inventory service has two primary purposes in life. First, it’s a cache of objects which the web client accesses. This cache enables the offloading of retrieving objects from the vCenter core service (vpxd). This can also lessen the load on your back-end database if the vCenter service isn’t constantly doing queries (most of which are reads). The legacy Windows VI client does not use the inventory service, which is why it can get pokey in very large environments. It also has an effect of reducing vCenter CPU utilization, allowing more client sessions.

Following VMware’s new guidance for vCenter 5.5, we are installing the inventory service on the same VM as vCenter. You should KISS your vCenter folks. In this post we will install the inventory service and secure it with a trusted SSL certificate.

Blog Series

SQL 2012 AlwaysOn Failover Cluster for vCenter
vSphere 5.5 Install Pt. 1: Introduction 
vSphere 5.5 Install Pt. 2: SSO 5.5 Reborn 

vSphere 5.5 Install Pt. 3: vCenter Upgrade Best Practices and Tips
vSphere 5.5 Install Pt. 4: ESXi 5.5 Upgrade Best Practices and Tips 
vSphere 5.5 Install Pt. 5: SSL Deep Dive
vSphere 5.5 Install Pt. 6: SSL Certificate Template
vSphere 5.5 Install Pt. 7: Install SSO
vSphere 5.5 Install Pt. 8: Online SSL Minting
vSphere 5.5 Install Pt. 9: Offline SSL Minting 
vSphere 5.5 Install Pt. 10: Update SSO Certificate
vSphere 5.5 Install Pt. 11: Install Web Client
vSphere 5.5 Install Pt. 12: Configure SSO
vSphere 5.5 Install Pt. 13: Install Inventory Service
vSphere 5.5 Install Pt. 14: Create Databases
vSphere 5.5 Install Pt. 15: Install vCenter
vSphere 5.5 Install Pt. 16: vCenter SSL
vSphere 5.5 Install Pt. 17: Install VUM
vSphere 5.5 Install Pt. 18: VUM SSL
vSphere 5.5 Install Pt. 19: ESXi SSL Certificate

Permalink to this series: vexpert.me/Derek55
Permalink to the Toolkit script: vexpert.me/toolkit55

Install Inventory Service

1. Mount the vCenter ISO if it’s not still mounted from the previous installs. Start the installer and select the vCenter Inventory Service.

10-12-2013 11-58-27 AM

2. Click through the wizard until you get to the Destination Folder. Because the web client only works on the C drive, I’ve resigned myself to putting everything on the C drive. So I left this the default.

10-12-2013 12-06-33 PM

3. Validate that the FQDN of the local server is correct.

10-12-2013 12-12-37 PM

4. I’d leave all the default port numbers.

10-12-2013 12-13-48 PM

5. The JVM memory will greatly depend on your environment. Do not skimp here, as memory is critical for performance. Remember to possibly adjust your vCenter VM’s memory here if you select medium or large. vCenter 5.5 all-in-one servers LOVE memory.

10-12-2013 12-15-17 PM

6. Enter your vCenter SSO password and validate the lookup service URL is correct.

10-12-2013 12-16-50 PM

7. Just like the web client it presents the thumbprint of your SSO SSL certificate. That’s the same value as before, so I’m not going to cover how to look it up again.

10-12-2013 12-19-21 PM

8. At this point a Ready to Install box should appear. Click Install and wait a few minutes.

Automated Inventory Service SSL

Note: I’m assuming here you are following this guide to the letter and replacing SSL certificates as we go. By doing this we can skip some steps in the VMware tool that are needed if doing SSL replacement post-full installs. If you are replacing certs at the end of a complete vCenter install, you must follow the planner steps in the VMware tool.

1. Open elevated command prompt (not PowerShell) and launch the VMware SSL replacement tool. Select Option 4 from the main menu.

10-12-2013 12-42-45 PM

2. All we need to do here is update the SSL certificate.

10-12-2013 12-44-44 PM

3. If everything goes well, it will successfully replace the certificate.

10-12-2013 12-49-47 PM

4. To validate the certificate has been updated you can go to https://YourvCenterServer:10443. You will see a ‘HTTP status 400 – Bad Request” but that’s normal since we didn’t pass it any data. What counts is that it responds, and that the cert is trusted. If you get some other error or the certificate is wrong, then something went terribly, terribly wrong.

10-12-2013 12-58-03 PM

Summary

The inventory service is easy to install, and easy to secure with custom SSL certificates. You can also quickly check the health with a simple web browser. So this is one of the easiest services to install and configure. Next up in Part 14 is configuring your SQL databases and DSNs so we can finally get to installing vCenter.

Comments

  1. DSvmwareguy says:

    Thanks!

  2. Thanks for great posting. Looking forward to your Chapter 14.

  3. Hi Derek
    in relation to my last post this is the log file from the ssl-updater for the inventory service:

    [09/12/2013 – 13:07:48.21]: The Inventory Service is installed at "D:Program FilesVMwareInfrastructureInventory Service"
    [09/12/2013 – 13:07:48.25]: Rollback path is "D:ssl-certificate-updater-tool-1308332backup"
    [09/12/2013 – 13:07:48.26]: Rollback path is "D:ssl-certificate-updater-tool-1308332backupIS"
    [09/12/2013 – 13:07:50.90]: Determining whether Inventory Service is registered with Single Sign-On …
    Intializing registration provider…
    Getting SSL certificates for https://vcentre.domain.locall:7444/lookupservice/
    A local user with name InventoryService_2013.12.09_121405 is already registered in SSO
    Return code is: AlreadyRegistered
    7
    [09/12/2013 – 13:08:01.91]: Unregistering Inventory Service from Single Sign-On …
    < was unexpected at this time.

  4. I got the same issue, and I opened the case with VMWare. It was the password of administrator@vsphere.local contained a special character. I follow all the step on Derek's article and used none of the characters listed by Derek. I used the "=".

    The Solution was go the vSphere Web Client change the password to simple. Re-ran the ssl-update.bat, and it fixed the issue.

    Here the logs:
    _______________________________
    [Thu 02/27/2014 – 16:31:54.09]: The Inventory Service is installed at "C:Program FilesVMwareInfrastructureInventory Service"
    [Thu 02/27/2014 – 16:31:54.17]: Rollback path is "D:ssl-certificate-updater-tool-1308332backup"
    [Thu 02/27/2014 – 16:31:54.17]: Rollback path is "D:ssl-certificate-updater-tool-1308332backupIS"
    [Thu 02/27/2014 – 16:31:57.20]: Determining whether Inventory Service is registered with Single Sign-On …
    Intializing registration provider…
    Getting SSL certificates for https://vCenter.FQDN:7444/lookupservice/sdk
    A local user with name InventoryService_2014.02.27_162420 is already registered in SSO
    Return code is: AlreadyRegistered
    7
    [Thu 02/27/2014 – 16:32:06.00]: Unregistering Inventory Service from Single Sign-On …
    =1233"" was unexpected at this time.
    [Thu 02/27/2014 – 16:39:33.97]: The Inventory Service is installed at "C:Program FilesVMwareInfrastructureInventory Service"
    [Thu 02/27/2014 – 16:39:34.01]: Rollback path is "D:ssl-certificate-updater-tool-1308332backup"
    [Thu 02/27/2014 – 16:39:34.03]: Rollback path is "D:ssl-certificate-updater-tool-1308332backupIS"
    [Thu 02/27/2014 – 16:39:36.69]: Determining whether Inventory Service is registered with Single Sign-On …
    Intializing registration provider…
    Getting SSL certificates for https://vCenter.FQDN:7444/lookupservice/sdk
    A local user with name InventoryService_2014.02.27_162420 is already registered in SSO
    Return code is: AlreadyRegistered
    7
    [Thu 02/27/2014 – 16:39:45.00]: Unregistering Inventory Service from Single Sign-On …
    Intializing registration provider…
    Getting SSL certificates for https://vCenter.FQDN:7444/lookupservice/sdk
    Return code is: Success
    0
    [Thu 02/27/2014 – 16:39:53.75]: Determining if the new Inventory Service certificate is already registered with Single Sign-On …
    Intializing registration provider…
    Getting SSL certificates for https://vCenter.FQDN:7444/lookupservice/sdk
    No local user with name 'GARBAGE_VALUE' or subject DN 'CN=vCenter.FQDN,OU=vCenterInventoryService,O=NYCHA,L=New York,ST=NY,C=US' is registered
    Return code is: Success
    0
    [Thu 02/27/2014 – 16:40:03.34]: Determining the Inventory Service service status …
    [Thu 02/27/2014 – 16:40:03.49]: Stopping Inventory Service
    The VMware vCenter Inventory Service service is stopping…
    The VMware vCenter Inventory Service service was stopped successfully.

    1 file(s) copied.
    1 file(s) copied.
    1 file(s) copied.
    1 file(s) copied.
    1 file(s) copied.
    1 file(s) copied.
    [Thu 02/27/2014 – 16:40:08.58]: Registering Inventory Service with Single Sign-On …
    Intializing registration provider…
    Getting SSL certificates for https://vCenter.FQDN:7444/lookupservice/sdk
    Solution user with id: {Name: InventoryService_2014.02.27_162420, Domain: vsphere.local} successfully registered
    Successfully assigned role "RegularUser" to user "{Name: InventoryService_2014.02.27_162420, Domain: vsphere.local}"
    Return code is: Success
    0
    Intializing registration provider…
    Getting SSL certificates for https://vCenter.FQDN:7444/lookupservice/sdk
    Successfully assigned role "RegularUser" to user "{Name: InventoryService_2014.02.27_162420, Domain: vsphere.local}"
    Return code is: Success
    0
    [Thu 02/27/2014 – 16:40:29.05]: Starting Inventory Service
    The VMware vCenter Inventory Service service is starting……..
    The VMware vCenter Inventory Service service was started successfully.

    [Thu 02/27/2014 – 16:40:48.75]: Successfully updated the Inventory Service SSL certificate

  5. For the life of me I can't seem to get past getting the SSL certificate installed for the Inventory Service. Installing the cert for SSO goes fine as does telling the Inventory Service to trust the SSO certificate but when I go to install the Inventory Service cert, the automatic tool fails indicating it can't talk to the lookup service. If I roll back the SSO cert, it works again.

    I've tried going the manual route with no success either. I get the SSO certificate replaced just fine and move onto the next step which is unregistering the Inventory Service. At that point I get:

    Intializing registration provider…
    Getting SSL certificates for https://<omitted&gt;:7444/lookupservice/sdk
    com.vmware.vim.vmomi.core.exception.CertificateValidationException: Server certificate chain not verified
    Return code is: SslHandshakeFailed
    1

    Everything I have done manually (or with Derek's tools) has pointed to the chain.cer file in my Root/Sub CA setup. If I check the Trusted Root Certification Authorities in Windows, I see both Root and Sub. They are actually both in Intermediate Certification Authorities as well.

    Thinking it might be a problem with the JKS and trusting the certs, I've even tried importing the .jks file via the web client but that didn't seem to work either.

    Anyone have any ideas???

  6. Like many you you I have this issue. even with 5.5 U1. I am not surprised as the certificate toolkit is unchanged from the earlier releases.

    I worked around this like Michael and changed the administrator@vsphere.local to a simple password (upper, lower and numbers only) and re-ran the script. I changed the password back after replacing the certificate. A pain but that worked for me….

    p.s. thanks for the hint regarding the Web Client install on D: being fixed. great news

  7. It was going to go live tomorrow (Friday), but it will be delayed 1-2 days because of a prior engagement tonight. I'm also tweaking my Toolkit script as well, which needs thorough testing.

  8. I'll post this weekend.

  9. I would suggest opening a ticket with VMware. SSO is still a bit picky, and they probably have a good internal KB of errors and possible solutions.

  10. Sounds like they got it fixed in 5.5.0b which is great!

  11. The reason this works is you are technically using the workaround listed here:
    http://kb.vmware.com/selfservice/microsites/searc

    "Alternatively the following work around can be used if the first steps did not resolve the issue. Install to a path that does not contain spaces"

Speak Your Mind

*

© 2014 - Sitemap