vCenter 5.1 U1 Installation: Part 8 (Install web client)

Now that vCenter Server installed, we need to proceed to getting the vSphere 5.1 Web Client installed and configured. In Part 7 of this series we installed vCenter Server 5.1, which is a pre-req. The vSphere 5.1 web client has come a long ways since vCenter 5.0. It is now the primary means to manage your vSphere 5.x servers and vCenter 5.x instances (does not manage vSphere 4.x or 3.x). In fact, nearly all new vSphere 5.1 features are ONLY exposed through the web client, such as VM hardware version 9 and new dVS features.

The Windows C# vSphere client is a dodo bird in the making, and who knows how long it will be around. However, the web client requires all new plug-ins (such as those from server/storage vendors), and VMware did not migrate VUM to the vSphere web client. So to manage/configure/use VUM you still need to use the traditional C# vSphere client. Vendors such as HP have released updated plug-ins.

Before we get started, listed below are the other related articles in this series:

Part 1 (SSO Service)
Part 2 (Create vCenter SSL Certificates)
Part 3 (Install vCenter SSO SSL Certificate)
Part 4 (Install Inventory Service)
Part 5 (Install Inventory Service SSL Certificate)
Part 6 (Create vCenter and VUM Databases)
Part 7 (Install vCenter Server)
Part 9 (Optional SSO Configuration)
Part 10 (Create VUM DSN)
Part 11 (Install VUM)
Part 12 (VUM SSL Configuration)
Part 13 (VUM Configuration)
Part 14 (Web Client and Log Browser SSL)
Part 15 (ESXi Host SSL Certificate)

UPDATE 4/28/2013: I’ve removed the SSL certificate pre-population steps, as I think using the VMware vCenter certificate automation tool is a better choice. It’s fully supported, and makes the process more repeatable.

Installing the vSphere 5.1 Update 1 Web Client

1. Start the vSphere Web Client installation wizard from the main menu.

3. Click through the wizard until you get to the SSO logon screen. I would strongly suggest you NOT change any default installation paths.  You will likely end up with a dead server, according to KB2044953. Enter the credentials you created during the SSO installation process.

4. Wait for the installation process to complete. The services may take a few minutes to fully start, so I’d wait a little bit after the install completes to move on to the next step.

5. To administer vCenter locally via the web client you need Adobe Flash. Yes, one of the most vulnerability ridden pieces of software needs to be installed on your server (for local access). Install the latest version of Adobe flash.

6. If you have any vCenter 5.0 (not 5.1) instances that you want the Web Client to manage, they require manual registration with the web client. The vCenter 5.1 instance you just installed will automatically be discovered and requires NO further configuration. If you don’t need to register any vCenter 5.0 instances, skip to step 7.

A. Launch the vSphere Web Client Administration tool.

B. Acknowledge the SSL error, then you should be presented with a web page showing a warning that no vCenter 5.0 systems registered. Click on Register vCenter Server.

C. Enter the FQDN of the vCenter 5.0 server as shown below in the first field (e.g. D001VCTR01.contoso.net). If during the registration process you get a SSL certificate warning just accept it. For the vSphere web client server name enter the FQDN of your vCenter 5.1 server (assuming the web client is installed on your vCenter 5.1 server).

7. Launch the VMware vSphere Web Client from the start menu but DO NOT login. If you look at the bottom left of the screen you can download the Client Integration Plug-in. I would recommend you download and install the client, so you can enable features such as Windows session credentials to login to the web client. Unfortunately the IE plug-in won’t work if your browser uses the more secure Protected Mode. So if you want increased security, don’t bother with the plug-in.

Also, the Web Browser shortcut in the Start menu will cause a SSL validation problem since it uses “Localhost” instead of the FQDN. Once IE opens, modify the URL to use the FQDN then bookmark the page and forget about launching the web client from the start menu.

8. Once the plug-in is installed you can now use your Windows session credentials to login. Do NOT login as the SSO account if you want to see your vCenter 5.1 servers. You must login with an account that is a member of the vCenter admin group. Validate that your vCenter 5.1 server is listed.

Update SSO Keystore

Note: When using the VMware vCenter Certificate automation tool you do NOT need to perform this section. I’ve left it here as a point of reference, in case you are manually replacing certificates. Either way proceed to Part 9, where I show you a couple of SSO configuration tweaks most people will want to make.

1. Login to the Web Client using the admin@system-domain account and your master password.

2. Go to Administration -> Sign-On and Discovery -> Configuration. Click on the STS Certificate tab.

3. Click on the Edit button then you need to navigate to the directory below and select the root-trust.jks file.

C:\Program Files\VMware\Infrastructure\SSOServer\Security

4. Enter the keystore password “testpassword”. You should now see at least two entries in your keystore (more if you have intermediary CAs.)

5. Select the chain alias (rui) then click OK. Re-enter the password “testpassword”.

6. Reboot the server, so that all services recognize the new certificate chain.

7. After the server reboots, and you wait a few minutes for all the services to start up, log back into the web client and review the certificates listed under the STS Certificate tab. You should now see two chains. One chain has an issuer of RSA Identity (the self-signed certs) and the other chain should reflect your CA infrastructure.

Print Friendly, PDF & Email

Related Posts

18
Leave a Reply

avatar
13 Comment threads
5 Thread replies
0 Followers
 
Most reacted comment
Hottest comment thread
6 Comment authors
nickprateekambiDerek Seaman@Spranta1 Recent comment authors
  Subscribe  
newest oldest most voted
Notify of
Tim
Guest

Derek, did you have any problems accessing the Log Browser in the web client? Seems to be related to the certs. I saw Terrafirma mention it http://communities.vmware.com/message/2117809#2117809 I havent quite found a working solution yet.

Derek Seaman, vExpert, VCP5, MCITP:EA, CISSP
Guest

Tim,

Terrafirm has sent me more details on getting the Log Browser to work. This weekend I’m confirm the fix and publish a new part to the series. It’s harder than you think to get that piece working.

Mike
Guest
Mike

Derek, did you at any point receive any warnings from the web client that it failed to verify the vCenter SSL certificate? After I setup vCenter, I went right into the Web Client setup without verifying that the certs were working correctly on the vCenter server. When I first logged into the Web Client, I received the referenced error. I tried signing into vCenter using the full client, and I received a certificate warning. Upon looking at the details of the cert, I realized it was still giving out the default cert. I did some digging and realized I had… Read more »

Pedro Miguel
Guest

Hi Derek, having problems on starting VMware vSphere Web Client, I was following your tutorial, plus the vmware documenthttp://www.vmware.com/files/pdf/techpaper/vsp_51_vcserver_esxi_certificates.pdf, but the document is terrible, mentioning folders on windows 2008 that not exist. I get the follwing error:The VMware vSphere Web Client service terminated with service-specific error Incorrect function.. (event ID: 7024), I already try this fix (http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2012473) but with no success, any ideias? thanks in advance, Miguel

Derek Seaman, vExpert, VCP5, MCITP:EA, CISSP
Guest

Pedro, I haven’t seen that error so can’t really offer any advice on that problem.

Dejan
Guest

Hi Derek, thank you for the great Tutorial :). I have problem with Web client … I can’t log-in. The message says:Failed to connect to VMware Lookup Service https://myVCServer:7444/lookupservice/sdk – SSL certificate verification failed.(image available here)http://imageshack.us/a/img40/3387/certificateverification.jpgand herehttp://imageshack.us/a/img836/7170/404onlookupservicelink.jpg- I have created and validated certificates- I have placed them in proper directoriesDo I have to install them somehow?Also in the middle of installation I have run out of the space on that VM and had to expand it. That machine now has different IP now. Is that maybe cause of the problem? Please help. Thank you so much!

Anonymous
Guest
Anonymous

Hi Dejan and Derek,

i had the same error. Following fixed my problem:
C:\ProgramData\VMware\vSphere web client\registration_hooks\client-repoint.bat

Run this batch in an elevated cmd window and you are back in the game.

Regards,

Juergen

@Spranta1
Guest

I hab the same problem after installing vCops.

Juergen, thanks for the hint! Worked perfekt!

@Derek, your page is awesome! Big Clap!

Dejan
Guest

Derek, thanks for quick reply :)! When I put the certificate in for example “C:\ProgramData\VMware\SingleSignOn\SSL” do I have to install it… or just to leave it there is enough?

Thanks!

Mahesh Falmari
Guest

Hi Derek, I have installed two vCenter servers and registered it with the single lookup service.But when I try to logon using the SSO admin user to the vSphere web client, I get the following error: Failed to verify the SSL certificate for one or more vCenter Server systems:https://:443/sdkCheck the vSphere Web Client Administration tool and make sure that the SSL certificate is installed. These two vCenters are part of the same AD, but only one vCenter is being shown in the web client. Note that I have not installed any SSL certificates, I wanted to use the default one… Read more »

Dejan
Guest

Hi Derek, I have assigned some users to proper groups and now I can see the VCenter server! Thanks again for your help.

You rock man!
Dejan

Anonymous
Guest
Anonymous

FYI, I had this error too:
Could not connect to one or more vCenter Server systems:
https://myserver:443/sdk

It was because I did not use the FQDN to the vCenter Server when installing vCenter and it prompts for the service account. It needs to be the FQDN to the server and not the domain where the serviec account resides. Why these are on the same screen with no explanation seems odd. Anyway, had to re-install vCenter, leave the FQDN at the suggested server.domain.com setting, and then Web Client connected first time with no issues.

Anonymous
Guest
Anonymous

Hi Derek,
I want to install the vsphere web client on a separate computer that isn’t vcenter because i just do not want to install flash player on my vcenter server. Do i need to take the certs for the vsphere web client i created in openssl on the vcenter server and transfer them to the computer i want the web client on’s “c:\programdata\VMware\vsphere web client\ssl” directory or do i only need to do that if intall the web client on the vcenter server itself?
THanks,
Mike

ambi
Guest
ambi

somhow i cant find a guide to add/authenticate vcenter 5.1 in the vsphere web client 5.1 in your blog or anywhere with a screenshot if possible because only and god and vmware knows what should we enter in name
primary and secondary url
base dn for users
and others

prateek
Guest
prateek

hi ..I am using workstation 9 for in which i installed esxi 5.1 and i have installed Vcenter Server 5.1 on 2008 r2 and i also install web client 5.1 . But from guest OS i was unable to connect with web client it is simply give a message in IE9 that The page cannot be displayed. i m using https://ipaddress/9443.

nick
Guest
nick

The client integration plugin allows these 2 additional things (referencing step #7):
1) Ability to transfer files to/from datastores using the web client
2) Allows you to open a VM console window within the web client

This installation series is the most complete I've ever seen so I'm trying to help improve it 🙂

vSphere 5.1 Install Screen
Scroll to Top