Archives for September 2012

vCenter 5.1 U1 Installation: Part 13 (VUM Configuration)

This installment of the 15 part vSphere 5.1 Installation covers some basic VUM configuration that most people will want to do. In Part 12 we configured VUM to use trusted SSL certificates. Now that the under the covers configuration of VUM is done, we need to perform some basic GUI configuration to make VUM useful. Every environment is different, and VUM is quite customizable, so the steps below are just basic guidance for a vanilla VUM setup. Creating custom baselines, tweaking remediation options, and other settings are not covered below.

Before we get started, listed below are the other related articles in this series:

Part 1 (SSO Service)
Part 2 (Create vCenter SSL Certificates)
Part 3 (Install vCenter SSO SSL Certificate)
Part 4 (Install Inventory Service)
Part 5 (Install Inventory Service SSL Certificate)
Part 6 (Create vCenter and VUM Databases)
Part 7 (Install vCenter Server)
Part 8 (Install Web Client)
Part 9 (Optional SSO Configuration)
Part 10 (Create VUM DSN)
Part 11 (Install VUM)
Part 12 (VUM SSL Configuration)
Part 14 (Web Client and Log Browser SSL)
Part 15 (ESXi Host SSL Certificate)

VUM Configuration

1. If you haven’t already installed the vSphere 5.1 vSphere Client for Windows, now is the time. After that is installed, connect to your vCenter server and click on the Plug-Ins menu. You should now see an available plug-in.

2. Click on Download and Install. Run through the installation wizard using all default values.

3. After the installation is completed, close the vSphere client.

4. Reconnect to the vCenter server using the vSphere client. If all goes well you should NOT get an SSL certificate warning and you should see a Update Manager tab in vCenter.

5. Depending on your server hardware vendor, you may want to add the HP depot URL to VUM so know when they release updated software. Unfortunately at this time I’m not aware of a Cisco VIB depot. Open the Admin View of VUM.

6. Once the VUM Admin page opens click on Configuration. Add a Download Source and use the following URLs:

HP:

http://vibsdepot.hp.com/index.xml

Dell:

http://vmwaredepot.dell.com/index.xml

Validate the URL then click OK.

7. After the URL is added, click on Download Now and wait a minute or two.

8. If you open the Patch Repository tab and sort by vendor you should now see some HP patches listed.

9. You can create your own patch baselines, which is out of the scope of this article. But I would recommend you at least attach the host and VM critical patch baselines. Switch to the Hosts and Cluster view, then click on the Update Manager tab.

10. Right click in the left pane and select Attach. I would recommend you select both baselines, unless you build your own.

11. Switch to the VMs and Templates view, change to the Update Manager view, then right click in the left baseline pane and select Attach. Again, unless you have a custom baseline, I would select all three options.

And there you go…a pretty vanilla VUM configuration. You will probably want to tweak some remediation settings, and possibly schedule regular scans (say weekly) for updates for both VMs and ESXi hosts. Next up is Part 14, which fixes the LogBrowser service SSL issue.

Note: When using VUM if you try and import a patch file, you will likely get an SSL security warning. You will notice that a self-signed VMware certificate is presented for you to trust. I’ve seen mentioned elsewhere that for now users are unable to change this particular certificate to a trusted one. So just “ignore” the error, as much as it may pain you.

vCenter 5.1 U1 Installation: Part 12 (VUM SSL Certificate)

Welcome to the vSphere 5.1 Update 1 VUM SSL certificate replacement procedures. In Part 11 we installed VMware vCenter Update Manager (VUM) 5.1 Update 1. Recently VMware released the vCenter Certificate automation tool, which helps lessen the pain associated with replacing the self-signed certificates with trusted certificates. I recommend you use that tool, instead of pre-staging certificates or replacing them manually.

However, in v1.0 of the VMware tool it does NOT support updating the VUM SSL certificate if you’ve registered VUM to vCenter using the vCenter FQDN. Since I would consider it a best practice to use the vCenter FQDN (vice IP address), we need to manually replace the VUM certificate until an update to the tool is released. I recommend replacing the VUM certificate only after you’ve gone through all 15 parts of this install series, and run the VMware vCenter certificate automation tool. If you have completed all those steps, then proceed with this article. If not, then jump ahead to Part 13 and come back here later.

If you want to refer to the official VMware article for replacing the VUM SSL certificate, you can find the procedure here. Thankfully it’s not difficult, so you shouldn’t have any problems.

Before we get started, listed below are the other related articles in this series:

Part 1 (SSO Service)
Part 2 (Create vCenter SSL Certificates)
Part 3 (Install vCenter SSO SSL Certificate)
Part 4 (Install Inventory Service)
Part 5 (Install Inventory Service SSL Certificate)
Part 6 (Create vCenter and VUM Databases)
Part 7 (Install vCenter Server)
Part 8 (Install Web Client)
Part 9 (Optional SSO Configuration)
Part 10 (Create VUM DSN)
Part 11 (Install VUM)
Part 13 (VUM Configuration)
Part 14 (Web Client and Log Browser SSL)
Part 15 (ESXi Host SSL Certificate)

Updating VUM SSL Certificate

1. Backup all the files in the directory below. Copy the rui.key, rui.crt and rui.pfx files from your D:\Certs\VUM directory and replace the files in this directory:

C:\Program Files (x86)\VMware\Infrastructure\Update Manager\SSL

2. Stop the VMware vSphere Update Manger Service.

3. In the C:\Program Files (x86)\VMware\Infrastructure\Update Manager directory launch the VMwareUpdateManagerUtility.exe application.

4. Login to the vCenter server using proper credentials.

5. Click on the SSL Certificate option on the left side then check the box on the right side and click Apply.

6. If all goes well you should see the window below. Restart the service as directed.

In Part 13 we perform basic VUM configuration to add the HP patch depot and attach built-in baselines for VMs and ESXi hosts.

vCenter 5.1 U1 Installation: Part 11 (Install VUM)

This installment in the vSphere 5.1 Update 1 installation series will install VUM (VMware Update Manager) on your system. In Part 10 of this series we configured the VUM DSN in preparation for installing VUM. So now we are ready to deploy VUM. You can co-locate it on your vCenter server in small environments, or have a dedicated VM for medium to large environments.

Before we get started, listed below are the other related articles in this series:

Part 1 (SSO Service)
Part 2 (Create vCenter SSL Certificates)
Part 3 (Install vCenter SSO SSL Certificate)
Part 4 (Install Inventory Service)
Part 5 (Install Inventory Service SSL Certificate)
Part 6 (Create vCenter and VUM Databases)
Part 7 (Install vCenter Server)
Part 8 (Install Web Client)
Part 9 (Optional SSO Configuration)
Part 10 (Create VUM DSN)
Part 12 (VUM SSL Configuration)
Part 13 (VUM Configuration)
Part 14 (Web Client and Log Browser SSL)
Part 15 (ESXi Host SSL Certificate)

Install VUM 5.1 Update 1

1. Start the vSphere Update Manager installation from the vSphere 5.1 main menu.

2. Select vSphere Update Manager and click through the wizard until you get to the following screen. If your system is on the internet then leave the box checked, so that you will have all of the latest patches. If you are on a disconnected/secure network, then uncheck the box so it doesn’t try to access the internet.

3. On the next screen enter the FDQN of your vCenter server and the username that VUM will use to access vCenter. In this case I just re-used the vCenter service account, since I don’t see a reason to have yet another service account just for VUM. But you certainly could, assuming you gave it appropriate rights in vCenter. Note: If the install hangs at this point, I’ve seen an issue using the FQDN vice the IP address. Should it hang you can kill the process called vciInstallutils.exe and try again with different credentials, hostname, or IP.

4. If the DSN is properly configured then it should be listed on the next screen.

5. In the drop down change the setting from the IP address to the FQDN.

6. I would strongly urge that you use a different drive for the patch repository, as it can get big and you don’t want it filling up your C drive.

7. Sit back and wait for the installation to complete, which shouldn’t take very long.

8. Depending on how you configured the permissions on your SQL database, you may need to change the account which the VUM service uses. In my case I needed to reconfigure it to use the vCenter service account, since that had permissions to the VUM SQL database. Restart the service.
In Part 12 I show you how to replace the VUM SSL certificate. I recommend using the VMware vCenter Certificate Automation tool to replace certificates. However in v1.0 of the tool it can’t replace the VUM certificate if you registered VUM with vCenter using the FQDN (vice IP address). So you will still need to perform the manual VUM SSL steps. I recommend replacing the VUM certificate after vCenter is fully installed and you ran the VMware Certificate Automation tool.

vCenter 5.1 U1 Installation: Part 10 (Create VUM DSN)

Now that vCenter 5.1 Update 1 is installed it is now time to create the VUM DSN. VUM, known as VMware Update Manager, lets you automate the patching process of ESXi hosts, update VMware tools, and also update some VM appliances. You still have to manage VUM via the legacy Windows vSphere client, as VMware did not make a plug-in for the Web Client. I would strongly suspect vSphere .Next will have a web integrated VUM client.

Before we get started, listed below are the other related articles in this series:

Part 1 (SSO Service)
Part 2 (Create vCenter SSL Certificates)
Part 3 (Install vCenter SSO SSL Certificate)
Part 4 (Install Inventory Service)
Part 5 (Install Inventory Service SSL Certificate)
Part 6 (Create vCenter and VUM Databases)
Part 7 (Install vCenter Server)
Part 8 (Install Web Client)
Part 9 (Optional SSO Configuration)
Part 11 (Install VUM)
Part 12 (VUM SSL Configuration)
Part 13 (VUM Configuration)
Part 14 (Web Client and Log Browser SSL)
Part 15 (ESXi Host SSL Certificate)

Creating the VUM DSN

The first step to get VUM working is creating the ODBC DSN that the installer will use to connect to the database. Unlike vCenter which uses a 64-bit DSN, VUM uses a 32-bit DSN. So the PowerShell script below has been modified from the vCenter script to create a 32-bit DSN, otherwise the script is the same as the one I presented for vCenter. I saved the script as VUM-DSN.ps1. The script requires three arguments, with a fourth optional one:

  • FQDN of the SQL server
  • VUM database name (enclose in quotes if it has spaces)
  • Version of SQL server (2008 or 2012)
  • Optional: Encrypt (if SQL encryption is configured)

If you want a quick guide on configuring SQL transport encryption you can check out my article here. Again, for security I would strongly suggest you use SQL SSL encryption. Unlike the SSO/JDBC SQL SSL encryption issues, using the ODBC connector for SSL with the vCenter/VUM databases works like a charm.

1. Save the PowerShell script below and execute it in an elevated PowerShell command prompt, using your settings:

Example:

.\VUM-DSN.ps1 D001SQL02.contoso.net “D001-vCenter VUM” 2012 Encrypt

5-4-2013 7-07-09 AM
VUM-DSN.ps1
## Creates a 32-bit System DSN for VMware Update Manager.
## Supports SQL Server 2008(R2) and SQL 2012
$DSNName = $args[1]
$DBName = $args[1]

If($args[0] -eq $NULL) { echo "Must specify FQDN of SQL server."; Exit}
If($args[1] -eq $NULL) { echo "Must specify VUM Database name."; Exit}
If($args[2] -eq $NULL) { echo "Must specify SQL Version (2008 or 2012)"; Exit}
if($args[3] -eq "encrypt") { $Encrypt = "Yes" } Else { $Encrypt = "No" }

$HKLMPath1 = "HKLM:\SOFTWARE\Wow6432Node\ODBC\ODBC.INI\" + $DSNName
$HKLMPath2 = "HKLM:\SOFTWARE\Wow6432Node\ODBC\ODBC.INI\ODBC Data Sources"
md $HKLMPath1 -ErrorAction silentlycontinue

set-itemproperty -path $HKLMPath1 -name Description -value $DSNName
set-itemproperty -path $HKLMPath1 -name Server -value $args[0]
set-itemproperty -path $HKLMPath1 -name LastUser -value "Administrator"
set-itemproperty -path $HKLMPath1 -name Trusted_Connection -value "Yes"
set-itemproperty -path $HKLMPath1 -name Encrypt -value $Encrypt
set-itemproperty -path $HKLMPath1 -name Database -value $DBName
md $HKLMPath2 -ErrorAction silentlycontinue

if ($args[2] -eq 2008) {
set-itemproperty -path $HKLMPath2 -name "$DSNName" -value "SQL Server Native Client 10.0"
set-itemproperty -path $HKLMPath1 -name Driver -value "C:\WINDOWS\system32\sqlncli10.dll"
}

Else {
set-itemproperty -path $HKLMPath2 -name "$DSNName" -value "SQL Server Native Client 11.0"
set-itemproperty -path $HKLMPath1 -name Driver -value "C:\WINDOWS\system32\sqlncli11.dll"
}

2. At this point you test the ODBC connection to avoid any vCenter installation issues. In the Windows Start screen search box type ODBC and select ODBC Data Sources (32-bit). Or, you can launch the same GUI via the command line:

c:\windows\syswow64\odbcad32.exe

3. When the ODBC Administrator appears click on System DSN and you should see two DSNs. In the Windows Server 2012 ODBC GUI it will now show both 32-bit and 64-bit DSNs.

5-4-2013 7-08-08 AM

4. Click on the Configure button and run through the wizard (without changing any settings) and you should arrive at the summary screen below. In my case I require data encryption, so that option is set to Yes. Since most people probably don’t have SQL setup for encryption (you should!) this will be a No for you.

5-4-2013 7-12-18 AM

5. Click on Test Data Source.. and you should see a successful connection message. If you have configured SQL transport encryption it will also note that the connection was encrypted and that the server certificate was validated (not self-signed).

5-4-2013 7-13-48 AM

Congratulations! You are now ready to start the installation process for VUM, which is covered in Part 11.

Create Windows CA VMware Certificate Template

In any enterprise environment, small or large, you should always used trusted SSL certificates for your VMware components. Very commonly people want to use a Microsoft Certificate Authority (CA). But, VMware requires certain properties be present in the SSL certificate to properly function. So you need to create a custom VMware certificate template in your CA to accommodate the key requirements.

You will need to modify the default Microsoft CA Web Server template settings to meet published VMware certificate requirements. vSphere 5.0 and earlier had an additional certificate requirement (nonrepudiation) that is not required in vSphere 5.1. This article will show you how to create a Microsoft CA template with all the past and present requirements, so that your bases are covered.

The default Web Server certificate template it does NOT have Data Encipherment, nonrepudiation, or client authentication enabled. Depending on the version of vSphere you are using, one or more of these properties may be required. So while the CA will happily issue you a certificate if you request these features, it will silently ignore the unsupported key usage specified in your CSR, which may cause you problems.

These instructions are based on Windows Server 2012, but all the options are available in prior Enterprise versions of the OS, such as Windows Server 2008 R2. You may have problems with “standard” edition CAs prior to Windows Server 2012, as they lack some certificate features found in Enterprise or higher editions. Windows Server 2012 standard edition has the full compliment of certificate options, so datacenter edition is not required (there is no enterprise edition).

If you are interested in the full 15-part vCenter 5.1 installation series with trusted SSL certificates, click here.

VMware Certificate Template Creation

1. Open the Certificate Authority tool. Locate the top Certificate Templates, right click, and select Manage. 

certificate authority
2. Locate the web server template and duplicate it.

3. Don’t change any of the compatibility settings. Leave it on Windows Server 2003.

4. Since this template will be used for VMware SSL certificates I named the new template appropriately. I also changed the validity period to three years, but the period the certificate is actually issued with depends on other CA properties so it may not be the full period you specify here.
 5. Open the Extensions tab, click on Key Usage, then select Signature is proof of origin and Allow Encryption of User data. Note: ESXi 5.1 does not require nonrepudiation or dataencipherment (encryption of user data). But I’ve enabled them here for backwards compatibility.
6. In the Extensions tab click Application Policies then click Edit.  Add the Client Authentication policy. Note: The vCenter 5.1 services do not require the Client Authentication option, but I’ve included it here for backwards compatibility with vCenter 5.0 and earlier. It appears ESXi 5.1 still wants client authentication.
7. On the Subject Name tab make sure Supply in the request is selected (it is by default). This will let us issue certificates with a SAN (subject alternative name).
4-22-2013 9-00-46 PM
8. After the template is made, you now have to permit certificates to be minted using that template. Right click on the Certificate Templates node as shown below, select New, then Certificate Template to Issue.

9. Select the VMware SSL template, or whatever name you used.

10. If everything went as planned you will have a new certificate template type when submitting a CSR. If you don’t see your new template, you may not have appropriate CA rights to issue the certificate.
11. To validate everything is working as planned, submit a CSR that has the Data Encipherment, nonrepudiation, and client authentication key requirements, then open the properties of the certificate. As you can see in the screenshots below, our minted certificate has all the required properties. If you have no idea how to create a CSR with these extra usage options, don’t fear, just read my blog post here. You are now ready to issue the proper SSL certificates for all of your vSphere environments.
Congrats! You now have a VMware certificate template that you can use with all modern versions of vSphere without fear of ignoring an important key usage attribute.

vCenter 5.1 U1 Installation: Part 9 (vCenter SSO Configuration)

In this installment of the vCenter 5.1 installation series I’ll show you a few vCenter SSO Configuration changes that you will likely want to make. These steps are optional, but probably nearly everyone will want to implement some form of these changes. The two tweaks are setting the default login domain for SSO and the other is using an AD group to control admin rights to the SSO service and not rely on the default built-in account. Oh and let’s not forget licensing too!

Before we get started, listed below are the other related articles in this series:

Part 1 (SSO Service)
Part 2 (Create vCenter SSL Certificates)
Part 3 (Install vCenter SSO SSL Certificate)
Part 4 (Install Inventory Service)
Part 5 (Install Inventory Service SSL Certificate)
Part 6 (Create vCenter and VUM Databases)
Part 7 (Install vCenter Server)
Part 8 (Install Web Client)
Part 10 (Create VUM DSN)
Part 11 (Install VUM)
Part 12 (VUM SSL Configuration)
Part 13 (VUM Configuration)
Part 14 (Web Client and Log Browser SSL)
Part 15 (ESXi Host SSL Certificate)

vCenter SSO Configuration

1. Login to the vSphere Web Client with the SSO administrator credentials (admin@System-Domain). In the left pane click on Administration then click on Configuration under Sign-On and Discovery.

2. If you wish to reduce future sign in keystrokes you can add your Active Directory domain to the list of default SSO domains. To do that highlight your AD server URL then click on the blue dot with an arrow, as shown below.

3. Acknowledge any warning about possible locked out accounts, and you should now see your AD domain listed under default domains.

Important! Click on the blue disk icon to save your change, otherwise you will be wondering why it is not working as expected.

4. At this point you may want to add an AD-based group to the SSO administrator group, so you don’t have to remember, or share, the built-in admin account credentials. To do that click on SSO Users and Groups in the left pane. Click on the ___Administrators___ principal name then click on the person icon with the plus sign next to it.

5. Now I created a group in AD called APP_VCTR_SSO_Administrator and added my admin account to it. Use whatever group name suits your needs. Change the identity source to your domain name then enter the name of the AD group and click on Search. After a few seconds it should populate the fields, then click on Add. Finally click OK.

6. Log out of the vSphere web client, logoff Windows if needed to refresh your group membership, then then validate you can access the SSO configuration once you login to the Web Client.

7. You probably want to assign a license key to your vCenter server, otherwise after the grace period is up, it will be non-functional. In the web client, go back to the Home page in the left pane, then click on Administration.

8. Once that pane opens, click on Licenses. You can now input your licenses for vCenter and ESXi hosts. Don’t forget to assign the licenses to their respective products.

Next up is creating the VUM DSN, which is covered in Part 10.

vCenter 5.1 U1 Installation: Part 8 (Install web client)

Now that vCenter Server installed, we need to proceed to getting the vSphere 5.1 Web Client installed and configured. In Part 7 of this series we installed vCenter Server 5.1, which is a pre-req. The vSphere 5.1 web client has come a long ways since vCenter 5.0. It is now the primary means to manage your vSphere 5.x servers and vCenter 5.x instances (does not manage vSphere 4.x or 3.x). In fact, nearly all new vSphere 5.1 features are ONLY exposed through the web client, such as VM hardware version 9 and new dVS features.

The Windows C# vSphere client is a dodo bird in the making, and who knows how long it will be around. However, the web client requires all new plug-ins (such as those from server/storage vendors), and VMware did not migrate VUM to the vSphere web client. So to manage/configure/use VUM you still need to use the traditional C# vSphere client. Vendors such as HP have released updated plug-ins.

Before we get started, listed below are the other related articles in this series:

Part 1 (SSO Service)
Part 2 (Create vCenter SSL Certificates)
Part 3 (Install vCenter SSO SSL Certificate)
Part 4 (Install Inventory Service)
Part 5 (Install Inventory Service SSL Certificate)
Part 6 (Create vCenter and VUM Databases)
Part 7 (Install vCenter Server)
Part 9 (Optional SSO Configuration)
Part 10 (Create VUM DSN)
Part 11 (Install VUM)
Part 12 (VUM SSL Configuration)
Part 13 (VUM Configuration)
Part 14 (Web Client and Log Browser SSL)
Part 15 (ESXi Host SSL Certificate)

UPDATE 4/28/2013: I’ve removed the SSL certificate pre-population steps, as I think using the VMware vCenter certificate automation tool is a better choice. It’s fully supported, and makes the process more repeatable.

Installing the vSphere 5.1 Update 1 Web Client

1. Start the vSphere Web Client installation wizard from the main menu.

3. Click through the wizard until you get to the SSO logon screen. I would strongly suggest you NOT change any default installation paths.  You will likely end up with a dead server, according to KB2044953. Enter the credentials you created during the SSO installation process.

4. Wait for the installation process to complete. The services may take a few minutes to fully start, so I’d wait a little bit after the install completes to move on to the next step.

5. To administer vCenter locally via the web client you need Adobe Flash. Yes, one of the most vulnerability ridden pieces of software needs to be installed on your server (for local access). Install the latest version of Adobe flash.

6. If you have any vCenter 5.0 (not 5.1) instances that you want the Web Client to manage, they require manual registration with the web client. The vCenter 5.1 instance you just installed will automatically be discovered and requires NO further configuration. If you don’t need to register any vCenter 5.0 instances, skip to step 7.

A. Launch the vSphere Web Client Administration tool.

B. Acknowledge the SSL error, then you should be presented with a web page showing a warning that no vCenter 5.0 systems registered. Click on Register vCenter Server.

C. Enter the FQDN of the vCenter 5.0 server as shown below in the first field (e.g. D001VCTR01.contoso.net). If during the registration process you get a SSL certificate warning just accept it. For the vSphere web client server name enter the FQDN of your vCenter 5.1 server (assuming the web client is installed on your vCenter 5.1 server).

7. Launch the VMware vSphere Web Client from the start menu but DO NOT login. If you look at the bottom left of the screen you can download the Client Integration Plug-in. I would recommend you download and install the client, so you can enable features such as Windows session credentials to login to the web client. Unfortunately the IE plug-in won’t work if your browser uses the more secure Protected Mode. So if you want increased security, don’t bother with the plug-in.

Also, the Web Browser shortcut in the Start menu will cause a SSL validation problem since it uses “Localhost” instead of the FQDN. Once IE opens, modify the URL to use the FQDN then bookmark the page and forget about launching the web client from the start menu.

8. Once the plug-in is installed you can now use your Windows session credentials to login. Do NOT login as the SSO account if you want to see your vCenter 5.1 servers. You must login with an account that is a member of the vCenter admin group. Validate that your vCenter 5.1 server is listed.

Update SSO Keystore

Note: When using the VMware vCenter Certificate automation tool you do NOT need to perform this section. I’ve left it here as a point of reference, in case you are manually replacing certificates. Either way proceed to Part 9, where I show you a couple of SSO configuration tweaks most people will want to make.

1. Login to the Web Client using the admin@system-domain account and your master password.

2. Go to Administration -> Sign-On and Discovery -> Configuration. Click on the STS Certificate tab.

3. Click on the Edit button then you need to navigate to the directory below and select the root-trust.jks file.

C:\Program Files\VMware\Infrastructure\SSOServer\Security

4. Enter the keystore password “testpassword”. You should now see at least two entries in your keystore (more if you have intermediary CAs.)

5. Select the chain alias (rui) then click OK. Re-enter the password “testpassword”.

6. Reboot the server, so that all services recognize the new certificate chain.

7. After the server reboots, and you wait a few minutes for all the services to start up, log back into the web client and review the certificates listed under the STS Certificate tab. You should now see two chains. One chain has an issuer of RSA Identity (the self-signed certs) and the other chain should reflect your CA infrastructure.

vCenter 5.1 U1 Installation: Part 7 (Install vCenter Server 5.1)

If you’ve made it this far, congrats! We are now ready to Install vCenter Server 5.1 Update 1! Yes in vSphere 5.1 there is A LOT of prerequisite work to do before you can start the vCenter Server installation. Part 6 of my series showed how to configure the vCenter and VUM SQL databases and the vCenter DSN. Now that all of the pre-reqs have been completed, we can now install vCenter Server 5.1 Update 1!

Before we get started, listed below are the other related articles in this series:

Part 1 (SSO Service)
Part 2 (Create vCenter SSL Certificates)
Part 3 (Install vCenter SSO SSL Certificate)
Part 4 (Inventory Service Install)
Part 5 (Inventory Service SSL Certificate)
Part 6 (Create vCenter and VUM Databases)
Part 8 (Install Web Client)
Part 9 (Optional SSO Configuration)
Part 10 (Create VUM DSN)
Part 11 (Install VUM)
Part 12 (VUM SSL Configuration)
Part 13 (VUM Configuration)
Part 14 (Web Client and Log Browser SSL)
Part 15 (ESXi Host SSL Certificate)

UPDATE 4/28/2013: I removed the SSL certificate pre-population steps, as using the VMware vCenter Certificate Automation tool is a much better option. You do that post-install, after all the components have been installed with self-signed certificates.

Install vCenter Server 5.1 Update 1

1. In Part 1 I created a service account that the SSO service used, and for the sake of simplicity I’ll use the same service account for the vCenter Server service. Login to your vCenter server as the service account. It should already have local admin rights on the vCenter server. Launch the vSphere 5.1 installer menu and select VMware vCenter Server and start the installation.

vSphere 5.1 installation

2. Select the appropriate language, read through all of the patents, EULA, and enter a license key if you have one.

3. On the Database Options screen you should select the second option then, if all went well, find your vCenter DSN from the drop-down menu.

4. Since we are using Windows authentication to the SQL server (more secure than SQL authentication) you can’t ender a database username or password.

5. You will likely see this warning message about the SQL database in full recovery mode, and that it may consume a lot of disk space without regular backups. This is normal and do NOT be alarmed. You ARE doing regular SQL backups right?

6. If you are running the installation as the vCenter service account (which you should be), then the account name will be pre-populated and you need to enter the appropriate password.
7. We don’t need to join an existing Linked mode group, so standalone is fine.

8. All of the default port numbers are fine, and for small environments we don’t need to increase the number of available ephemeral ports. If you will be powering on more than 2,000 VMs, then check the box.

9. JVM memory is an important configuration parameter, so carefully choose the right value. It doesn’t hurt to select a larger value, assuming you have adequate memory assigned to the vCenter VM.

10. New to vSphere 5.1 is the SSO service, so we need to input the master password used during the SSO installation process which I covered in part 1. The wizard will validate the password.

11. At this prompt you need to enter the group or user that will be recognized by the SSO service as the vCenter administrator. If you installed the SSO service in High Availability mode, then you will probably get an error “Wrong Input – either a command line argument is wrong….” if you try and use the “Administrators” group. So I would create an AD group that you want to use. Following my RBAC naming convention I specified the appropriate AD group. Use whatever group name you wish. The wizard will validate that it exists.

Note: If you get suck at this point in the installer, check out the reader feedback below. Ben Hicks and John have some great tips on possible solutions.

12. Next you should see the vCenter Inventory Service URL, which needs no modifications.
13. Change the installation path if you wish, but I left it the default value. Then click Install and wait for it to complete. Profile Driven install may take a loooong time to install…20 minutes or more. So be patient while the installer runs.

14. Per a VMware KB article you need to fix the ADAM SSL port registry type. To fix this issue navigate to:

HKLM\SYSTEM\CurrentControlSet\Services\ADAM_VMwareVCMSDS\Parameters

Delete the Port SSL key and recreate it as a 32-bit DWORD with a decimal value of 636.   Note: Per reader feedback, if you are using Linked Mode, use a different port number (above 1025) for the Port SSL, otherwise there will be a conflict.

Assuming a successful installation, you can proceed to Part 8, where we install the vSphere Web Client.

vCenter 5.1 U1 Installation: Part 6 (Create vCenter and VUM Databases)

If you want to create vCenter and VUM Databases for vSphere 5.1 Update 1, you have come to the right spot. Database creation must be done prior to starting the vCenter installation, as one of the first prompts is selecting the vCenter DSN, which must be tied back to a database in SQL server. I’ve included a couple SQL and PowerShell scripts to help automate the process.

Before we get started, listed below are the other related articles in this series:

Part 1 (SSO Service)
Part 2 (Create vCenter SSL Certificate)
Part 3 (Install SSO Service SSL Certificate)
Part 4 (Install Inventory Service)
Part 5 (Install Inventory Service SSL Certificate)
Part 7 (Install vCenter Server)
Part 8 (Install Web Client)
Part 9 (Optional SSO Configuration)
Part 10 (Create VUM DSN)
Part 11 (Install VUM)
Part 12 (VUM SSL Configuration)
Part 13 (VUM Configuration)
Part 14 (Web Client and Log Browser SSL)
Part 15 (ESXi Host SSL Certificate)

UPDATE 4/28/2013: Since SQL 2012 is now officially supported with vSphere 5.1 Update 1, I’ve added additional references and download links to the appropriate SQL 2012 resources. The DSN script also configures the ODBC connector appropriately for your version of SQL server.

Create vCenter and VUM Databases

1. On your vCenter server you must install the appropriate SQL Native Client. The ODBC configuration uses the Native Client to communicate back to your SQL server. Since vCenter requires a 64-bit server you need the 64-bit native SQL client. Download and install the appropriate native client, depending on the back-end version of SQL server you are using.

64-bit Microsoft SQL Server 2008 R2 SP2 native client
64-bit Microsoft SQL Server 2012 native client

2. Install the SQL Server native client on your vCenter server using all default values.

3. On your SQL server you need to create the vCenter and VUM databases. I’ve included a sample script below that does the trick. Of course you will need to modify the vCenter service account name, database names and paths to suit your environment.

Cut and paste the script into SQL Server Management Studio and execute it. If you use the same service account here as you did for the SSO installation you can either comment out the CREATE LOGIN statement below, or just ignore the warning when you run the script since the login already exists. No harm done trying to add a login that already exists.


/* Creates vCenter server and VUM databases. */
/* Change login name to vCenter service account */

EXEC('CREATE LOGIN [contoso\svc-vctr02-001]FROM WINDOWS')

USE MSDB
EXEC sp_grantdbaccess 'contoso\svc-vctr02-001'
EXEC sp_addrolemember db_owner, 'contoso\svc-vctr02-001'

USE master
create database "D001-vCenter Server"
on
( name = 'D001-vCenter Server',
filename = 'K:\Microsoft SQL Server\MSSQL\Data\D001-vCenter_Server.mdf',
size = 2000MB,
filegrowth = 500MB )
log on
( name = 'D001-vCenter Server log',
filename = 'L:\Microsoft SQL Server\MSSQL\Data\Logs\D001-vCenter_Server.ldf',
size = 200MB,
filegrowth = 20MB )
COLLATE SQL_Latin1_General_CP1_CI_AS;

create database "D001-vCenter VUM"
on
( name = 'D001-vCenter VUM',
filename = 'K:\Microsoft SQL Server\MSSQL\Data\D001-vCenter_VUM.mdf',
size = 250MB,
filegrowth = 25MB )
log on
( name = 'D001-vCenter VUM log',
filename = 'L:\Microsoft SQL Server\MSSQL\Data\Logs\D001-vCenter_VUM.ldf',
size = 25MB,
filegrowth = 2MB )
COLLATE SQL_Latin1_General_CP1_CI_AS;

EXEC('ALTER AUTHORIZATION ON DATABASE::"D001-vCenter Server" TO [contoso\svc-vctr02-001]')
EXEC('ALTER AUTHORIZATION ON DATABASE::"D001-vCenter VUM" TO [contoso\svc-vctr02-001]')

GO

Create vCenter ODBC Connector

On the vCenter server you now must create a 64-bit DSN for vCenter to use. You can create it manually through the ODBC GUI, but for consistency I like to script it, so I’ve included a sample PowerShell script below. I saved the script as vCenter-DSN.ps1. The script requires three arguments, with a fourth optional one:

  • FQDN of the SQL server
  • Database name (enclose in quotes if it has spaces)
  • Version of SQL server (2008 or 2012)
  • Optional: Encrypt (if SQL encryption is configured)

If you want a quick guide on configuring SQL transport encryption you can check out my article here. Again, for security I would strongly suggest you use SQL SSL encryption. Unlike the SSO/JDBC SQL SSL encryption issues, using the ODBC connector for SSL with the vCenter/VUM databases works like a charm.

1. Save the PowerShell script below and execute it in an elevated PowerShell command prompt, using your settings:

Example:

.\vCenter-DSN.ps1 D001SQL02.contoso.net “D001-vCenter Server” 2012 Encrypt

4-28-2013 8-11-17 AM

vCenter-DSN.ps1


## Creates a 64-bit System DSN for vCenter Server.
## Supports SQL Server 2008(R2) and SQL 2012
$DSNName = $args[1]
$DBName = $args[1]

If($args[0] -eq $NULL) { echo "Must specify FQDN of SQL server."; Exit}
If($args[1] -eq $NULL) { echo "Must specify Database name."; Exit}
If($args[2] -eq $NULL) { echo "Must specify SQL Version (2008 or 2012)"; Exit}
if($args[3] -eq "encrypt") { $Encrypt = "Yes" } Else { $Encrypt = "No" }

$HKLMPath1 = "HKLM:\SOFTWARE\ODBC\ODBC.INI\" + $DSNName
$HKLMPath2 = "HKLM:\SOFTWARE\ODBC\ODBC.INI\ODBC Data Sources"
md $HKLMPath1 -ErrorAction silentlycontinue

set-itemproperty -path $HKLMPath1 -name Description -value $DSNName
set-itemproperty -path $HKLMPath1 -name Server -value $args[0]
set-itemproperty -path $HKLMPath1 -name LastUser -value "Administrator"
set-itemproperty -path $HKLMPath1 -name Trusted_Connection -value "Yes"
set-itemproperty -path $HKLMPath1 -name Encrypt -value $Encrypt
set-itemproperty -path $HKLMPath1 -name Database -value $DBName

md $HKLMPath2 -ErrorAction silentlycontinue

if ($args[2] -eq 2008) {
set-itemproperty -path $HKLMPath2 -name "$DSNName" -value "SQL Server Native Client 10.0"
set-itemproperty -path $HKLMPath1 -name Driver -value "C:\WINDOWS\system32\sqlncli10.dll"
}

Else {
set-itemproperty -path $HKLMPath2 -name "$DSNName" -value "SQL Server Native Client 11.0"
set-itemproperty -path $HKLMPath1 -name Driver -value "C:\WINDOWS\system32\sqlncli11.dll"
}

2. At this point you test the ODBC connection to avoid any vCenter installation issues. In the Windows Start screen search box type ODBC and select ODBC Data Sources (64-bit). When the ODBC Administrator appears click on System DSN and you should see the DSN the script created.

4-28-2013 8-12-25 AM

3. Click on the Configure button and run through the wizard (without changing any settings) and you should arrive at the summary screen below. In my case I require data encryption, so that option is set to Yes.

4-28-2013 8-14-44 AM

4. Click on Test Data Source.. and you should see a successful connection message. If you have configured SQL transport encryption it will also note that the connection was encrypted and that the server certificate was validated (not self-signed).

4-28-2013 8-16-24 AM

At this point you have now successfully configured vCenter and VUM databases and setup the vCenter DSN. We will configure the VUM DSN when we do the VUM installation. Part 7 in this series is installing the vCenter 5.1 server using the database and DSN you created.

vCenter 5.1 U1 Installation: Part 5 (Inventory Service SSL Certificate)

This is Part 5 of the 15-part vCenter 5.1 Update 1 installation series, and covers manually replacing the VMware inventory service SSL certificate. If you want to use the VMware vCenter Certificate Automation tool (highly recommended), then you can skip this part and go directly to Part 6. As a post-install process the new VMware tool will be used to replace all of the certificates, including the Inventory service.

Before we get started, listed below are the other related articles in this series:

Part 1 (SSO Service)
Part 2 (Create vCenter SSL Certificates)
Part 3 (Install vCenter SSO SSL Certificate)
Part 4 (Inventory Service Install)
Part 6 (Create vCenter and VUM Databases)
Part 7 (Install vCenter Server)
Part 8 (Install Web Client)
Part 9 (Optional SSO Configuration)
Part 10 (Create VUM DSN)
Part 11 (Install VUM)
Part 12 (VUM SSL Configuration)
Part 13 (VUM Configuration)
Part 14 (Web Client and Log Browser SSL)
Part 15 (ESXi Host SSL Certificate)


UPDATE 4/28/2013: Since VMware has released the vCenter Certificate Automation tool, I now recommend using that tool to replace your certificates instead of the manual process. It’s more automated and less error prone. But should you want to do it manually, you can still follow this post.

UPDATE 1/27/2013: Updated the post with 5.1.0b information, which seems to have resolved a script error with the un-registration process. Other minor tweaks as well.


UPDATE 10/26/12: vSphere 5.1.0A *still* seems to have a problem with the unregister script and required me to modify the script to make it work. However, unlike the GA release, updating the SSL certificates post-install in 5.1.0A does not cause the vCenter installer to fail. So I can now recommend that you configure the inventory service with trusted SSL certificates. Pre-population is still easier, but the procedure below seems to work now. You can find the official VMware KB article covering these steps here.

Replacing Inventory Service SSL Certificate

1. The first step is to UN-register the Inventory service from the vCenter SSO service. Open an elevated command prompt and type the following commands:

cd /d C:\Program Files\VMware\Infrastructure\Inventory Service\scripts

unregister-sso.bat https://YourServer.FQDN:7444/lookupservice/sdk admin@System-Domain YourPassword

If successful you should see output similar to the following screenshot. Keep the command window open.

2. Stop the “VMware vCenter Inventory Service”.

3. Copy the three key certificate files we created back in part two of my series to the following directory: C:\ProgramData\VMware\Infrastructure\Inventory Service\ssl. First, make a backup of the keys in the SSL folder. Second, copy the Inventory service certificate files (rui.crt, rui.key and rui.pfx) from the D:\Certs\Inventory directory and overwrite the versions in the SSL folder.

4. Start the “VMware vCenter Inventory Service”.

5. In the same command window you kept open from step 2, enter the following command:

register-sso.bat https://YourServer.FQDN:7444/lookupservice/sdk admin@System-Domain YourPassword

If successful you should see output similar to the following screenshot.

vmware inventory service SSL certificate

6. Browse to the inventory service URL (https://YourServer.FQDN:10443) and validate that the trusted SSL certificate is being used. You will see a 400 Bad request error, but that can be safely ignored. Just validate the browser is showing the trusted certificate is being used.

Congratulations! You have now updated your Inventory Service SSL certificates and can proceed to creating the vCenter and VUM databases and DSN in Part 6.

© 2017 - Sitemap