Now that vCenter Server installed, we need to proceed to getting the vSphere 5.1 Web Client installed and configured. In Part 7 of this series we installed vCenter Server 5.1, which is a pre-req. The vSphere 5.1 web client has come a long ways since vCenter 5.0. It is now the primary means to manage your vSphere 5.x servers and vCenter 5.x instances (does not manage vSphere 4.x or 3.x). In fact, nearly all new vSphere 5.1 features are ONLY exposed through the web client, such as VM hardware version 9 and new dVS features.
The Windows C# vSphere client is a dodo bird in the making, and who knows how long it will be around. However, the web client requires all new plug-ins (such as those from server/storage vendors), and VMware did not migrate VUM to the vSphere web client. So to manage/configure/use VUM you still need to use the traditional C# vSphere client. Vendors such as HP have released updated plug-ins.
Before we get started, listed below are the other related articles in this series:
Part 1 (SSO Service)
Part 2 (Create vCenter SSL Certificates)
Part 3 (Install vCenter SSO SSL Certificate)
Part 4 (Install Inventory Service)
Part 5 (Install Inventory Service SSL Certificate)
Part 6 (Create vCenter and VUM Databases)
Part 7 (Install vCenter Server)
Part 9 (Optional SSO Configuration)
Part 10 (Create VUM DSN)
Part 11 (Install VUM)
Part 12 (VUM SSL Configuration)
Part 13 (VUM Configuration)
Part 14 (Web Client and Log Browser SSL)
Part 15 (ESXi Host SSL Certificate)
UPDATE 4/28/2013: I’ve removed the SSL certificate pre-population steps, as I think using the VMware vCenter certificate automation tool is a better choice. It’s fully supported, and makes the process more repeatable.
Installing the vSphere 5.1 Update 1 Web Client
1. Start the vSphere Web Client installation wizard from the main menu.
3. Click through the wizard until you get to the SSO logon screen. I would strongly suggest you NOT change any default installation paths. You will likely end up with a dead server, according to KB2044953. Enter the credentials you created during the SSO installation process.
4. Wait for the installation process to complete. The services may take a few minutes to fully start, so I’d wait a little bit after the install completes to move on to the next step.
5. To administer vCenter locally via the web client you need Adobe Flash. Yes, one of the most vulnerability ridden pieces of software needs to be installed on your server (for local access). Install the latest version of Adobe flash.
6. If you have any vCenter 5.0 (not 5.1) instances that you want the Web Client to manage, they require manual registration with the web client. The vCenter 5.1 instance you just installed will automatically be discovered and requires NO further configuration. If you don’t need to register any vCenter 5.0 instances, skip to step 7.
A. Launch the vSphere Web Client Administration tool.
B. Acknowledge the SSL error, then you should be presented with a web page showing a warning that no vCenter 5.0 systems registered. Click on Register vCenter Server.
C. Enter the FQDN of the vCenter 5.0 server as shown below in the first field (e.g. D001VCTR01.contoso.net). If during the registration process you get a SSL certificate warning just accept it. For the vSphere web client server name enter the FQDN of your vCenter 5.1 server (assuming the web client is installed on your vCenter 5.1 server).
7. Launch the VMware vSphere Web Client from the start menu but DO NOT login. If you look at the bottom left of the screen you can download the Client Integration Plug-in. I would recommend you download and install the client, so you can enable features such as Windows session credentials to login to the web client. Unfortunately the IE plug-in won’t work if your browser uses the more secure Protected Mode. So if you want increased security, don’t bother with the plug-in.
Also, the Web Browser shortcut in the Start menu will cause a SSL validation problem since it uses “Localhost” instead of the FQDN. Once IE opens, modify the URL to use the FQDN then bookmark the page and forget about launching the web client from the start menu.
8. Once the plug-in is installed you can now use your Windows session credentials to login. Do NOT login as the SSO account if you want to see your vCenter 5.1 servers. You must login with an account that is a member of the vCenter admin group. Validate that your vCenter 5.1 server is listed.
Update SSO Keystore
Note: When using the VMware vCenter Certificate automation tool you do NOT need to perform this section. I’ve left it here as a point of reference, in case you are manually replacing certificates. Either way proceed to Part 9, where I show you a couple of SSO configuration tweaks most people will want to make.
1. Login to the Web Client using the admin@system-domain account and your master password.
2. Go to Administration -> Sign-On and Discovery -> Configuration. Click on the STS Certificate tab.
3. Click on the Edit button then you need to navigate to the directory below and select the root-trust.jks file.
4. Enter the keystore password “testpassword”. You should now see at least two entries in your keystore (more if you have intermediary CAs.)
5. Select the chain alias (rui) then click OK. Re-enter the password “testpassword”.
6. Reboot the server, so that all services recognize the new certificate chain.
7. After the server reboots, and you wait a few minutes for all the services to start up, log back into the web client and review the certificates listed under the STS Certificate tab. You should now see two chains. One chain has an issuer of RSA Identity (the self-signed certs) and the other chain should reflect your CA infrastructure.