Archives for 2013

vSphere 5.5 Install Pt. 19: ESXi SSL Certificate

12-22-2013 2-49-19 PMAfter a bit of a delay, I’m finally publishing how to update your ESXi SSL certificate. The process is pretty much unchanged from the 4.x era, but what is new is my Toolkit script. It has been updated to include ESXi certificate support. This is accomplished all in PowerShell, and does NOT require SSH be enabled on the host. It uses the HTTP PUT command to upload the two required files. This should also run successfully against older ESXi hosts, but I haven’t tested it.

Blog Series

SQL 2012 AlwaysOn Failover Cluster for vCenter
vSphere 5.5 Install Pt. 1: Introduction 
vSphere 5.5 Install Pt. 2: SSO 5.5 Reborn 

vSphere 5.5 Install Pt. 3: vCenter Upgrade Best Practices and Tips
vSphere 5.5 Install Pt. 4: ESXi 5.5 Upgrade Best Practices and Tips 
vSphere 5.5 Install Pt. 5: SSL Deep Dive
vSphere 5.5 Install Pt. 6: SSL Certificate Template
vSphere 5.5 Install Pt. 7: Install SSO
vSphere 5.5 Install Pt. 8: Online SSL Minting
vSphere 5.5 Install Pt. 9: Offline SSL Minting 
vSphere 5.5 Install Pt. 10: Update SSO Certificate
vSphere 5.5 Install Pt. 11: Install Web Client
vSphere 5.5 Install Pt. 12: Configure SSO
vSphere 5.5 Install Pt. 13: Install Inventory Service
vSphere 5.5 Install Pt. 14: Create Databases
vSphere 5.5 Install Pt. 15: Install vCenter
vSphere 5.5 Install Pt. 16: vCenter SSL
vSphere 5.5 Install Pt. 17: Install VUM
vSphere 5.5 Install Pt. 18: VUM SSL
vSphere 5.5 Install Pt. 19: ESXi SSL

Permalink to this series: vexpert.me/Derek55
Permalink to the Toolkit script: vexpert.me/toolkit55

Introduction

Download my vCenter 5.5 Toolkit v1.5 or later from here. It was just updated for this post, so if you’ve been following along and already have the script, you will need the updated version for the ESXi features. At this point I’ll make the following assumptions: 1) You’ve installed ESXi 5.x 2) Created a DNS entry for your ESXi host 3) ESXi host is reachable on the network via the FQDN (e.g. ESX01.yourdomain.com) 4) The host you run the Toolkit script on has HTTPS access to the ESXi host(s).

VMware HA can get confused with updated thumbprints when you replace the SSL certificate if the host was already added to vCenter. For this reason I recommend either updating the host SSL certificate prior to adding to vCenter, or disconnect the host in vCenter, update the certificate, and reconnect in vCenter. Should you run into SSL thumbprint errors, you may see a message like the one below. For more information you can checkout KB 2006210.

12-22-2013 4-02-36 PM

The script is fairly agile, and can produce ESXi certificates via a variety of methods. You can also feed it a CSV file of hosts, and mass produce certificates as well. Each method has its own section below. I suggest reading through all methods so you know what options you have and get the complete picture.

Online Minting Method

1. Open an elevated PowerShell prompt and run the Toolkit script. You will see the following menu items. Version 1.5 and later has a new “ESXi Hosts” section with several options. Like the other modules, the script supports an online Microsoft CA, an online Microsoft CA that requires manual approval, or creating the CSRs to use with a non-Microsoft CA.

In this first example let’s assume you have an online Microsoft CA that does not require manual certificate approval. Select Option 11.

12-22-2013 3-03-31 PM

2. You are now presented with a second menu. Here you can manually enter the ESXi hostnames, or read in a CSV if you have lots of hosts to prepare certificates for. Let’s first go for the manual host entry and select Option 1.

12-22-2013 3-13-05 PM

3. After selecting Option 1 you are prompted to enter the hostname(s) of the ESXi servers. Be sure to use the FQDN of your ESXi host(s). Comma separate the hosts if you input more than one. Assuming you haven’t run the script before it will then ask you for the root credentials of the ESXi host. The credentials must be the same for all hosts, and you only need to enter it once no matter how many hosts you are updating.

12-22-2013 3-15-58 PM

4. After you enter the root credentials you should get yellow status messages for each ESXi host that the certificates were successfully uploaded to. There is some error trapping, so errors like incorrect credentials or invalid hostnames will throw an exception message, but continue with other hosts.

5. At this point I recommend rebooting the ESXi host. Yes, technically you can restart the ESXi management agent but I feel better with a full reboot. After the reboot open your favorite browser and go to the FQDN of your ESXi host. You should not get any SSL errors. You can also open the certificate properties and verify it came from your trusted CA.

12-22-2013 4-18-16 PM

You can now add your ESXi host to vCenter. Find your cluster in vCenter, then right click on it and select Add Host. Enter the FQDN of your ESXi host and run through the rest of the wizard. It should now be added, and the proper thumbprint stored in the database.

12-22-2013 3-33-25 PM

Offline Minting Method

1. Run my Toolkit script but this time select option 12. This will only create the CSRs, which you will then submit to your own CA and download the minted certificate. Again here I selected option 1 to manually enter the ESXi hostname.

12-22-2013 4-25-56 PM

2. If you look in the certificate directory path (configurable in the script), you will see a folder with the FQDN of your ESXi host. If you open that folder you will see three files. Take the CSR and submit it to your CA. Download a BASE64 encoded certificate (not a certificate chain) and save it as rui.crt in the same folder.

12-22-2013 4-27-07 PM

3. Re-run the Toolkit script but this time select option 13. Re-enter the hostname(s) that you created certificates for. Enter the root credentials if they are not already cached. You should get a yellow status message for each ESXi host if it is successful.

12-22-2013 4-31-44 PM

4. Go back to Step 5 in the Online Minting section to reboot your host, validate the certificate is correct, and reconnect the ESXi host to vCenter.

Manual Approval Method

1. Run my Toolkit script using option 11. This will proceed just like the online method, but it will display RequestIDs that your CA administrator must approve. I selected option 1 on the sub-menu to manually enter the ESXi hostname.

12-22-2013 4-59-17 PM

2. Note in yellow the RequestID(s) and have your CA administrator approve them.  After it is approved, re-run the Toolkit script but select option 13 from the main menu. Re-enter the same ESXi hostname(s) or CSV file that you used for the original request. You should see a status message showing the certificate(s) were downloaded and then successfully uploaded to each ESXi host.

12-22-2013 5-02-27 PM

3. Go back to Step 5 in the Online Minting section to reboot your host, validate the certificate is correct, and reconnect the ESXi host to vCenter.

CSV Input File

If you have several hosts that you need to update certificates on, then you don’t really want to be typing in all the hostnames. So this script will also accept a formatted text file of ESXi hosts names. The input file can be used with ALL minting methods (online, offline, manual approval). The file is very simple. Each line should have the FQDN of a single ESXi host. There is no limit to the number of hosts you can put in the file.

12-22-2013 5-07-13 PM

To use this file merely select Option 2 on the sub-menu (Read ESXi hosts from CSV file) and input the path to your text file. You can see a sample use case below, where I’m using manually approved certificates.

12-22-2013 5-09-59 PM

Summary

As you can see, the Toolkit script is now fairly complete, although delayed a bit longer than I had originally planned. It certainly is not foolproof, but does have some error checking. No doubt there will be some circumstances where it will fail. Should you need to manually copy the certificate files to the host using something like WinSCP, copy the rui.crt and rui.key files to /etc/vmware/ssl on the ESXi host. Be sure to use ASCII/text mode to avoid translation issues. Also, if you wish to delete the cached root credentials (I would suggest this after completing the certificate upgrades), then remove the root-credentials file from your Certificate directory.

vSphere 5.5 Install Pt. 18: VUM SSL & Misc. Config.

11-17-2013 7-59-40 PMSo now that vCenter 5.5 with VUM is installed, we need to configure a trusted vCenter update manager SSL certificate and then do a few VUM configuration tweaks. These tweaks include configuring HP and Dell repos, plus configuring basic VUM compliance scans.

Blog Series

SQL 2012 AlwaysOn Failover Cluster for vCenter
vSphere 5.5 Install Pt. 1: Introduction 
vSphere 5.5 Install Pt. 2: SSO 5.5 Reborn 

vSphere 5.5 Install Pt. 3: vCenter Upgrade Best Practices and Tips
vSphere 5.5 Install Pt. 4: ESXi 5.5 Upgrade Best Practices and Tips 
vSphere 5.5 Install Pt. 5: SSL Deep Dive
vSphere 5.5 Install Pt. 6: SSL Certificate Template
vSphere 5.5 Install Pt. 7: Install SSO
vSphere 5.5 Install Pt. 8: Online SSL Minting
vSphere 5.5 Install Pt. 9: Offline SSL Minting 
vSphere 5.5 Install Pt. 10: Update SSO Certificate
vSphere 5.5 Install Pt. 11: Install Web Client
vSphere 5.5 Install Pt. 12: Configure SSO
vSphere 5.5 Install Pt. 13: Install Inventory Service
vSphere 5.5 Install Pt. 14: Create Databases
vSphere 5.5 Install Pt. 15: Install vCenter

vSphere 5.5 Install Pt. 16: vCenter SSL
vSphere 5.5 Install Pt. 17: Install VUM
vSphere 5.5 Install Pt. 18: VUM SSL
vSphere 5.5 Install Pt. 19: ESXi SSL Certificate

Permalink to this series: vexpert.me/Derek55
Permalink to the Toolkit script: vexpert.me/toolkit55

At this point I’ll assume you’ve been following this series and ran my Toolkit script to create all of your certificates.

VUM SSL Configuration

1. Run the VMware Certificate automation tool script and from the main menu select option 8. On the VUM menu select option 1.

11-10-2013 3-26-10 PM

2. After selecting option 1 from the VUM menu you will be prompted for a series of responses. The chain.pem and rui.key paths should already be set, via my Toolkit script (Option 4).  Enter the Administrator password you used during the SSO installation, many installments ago. Sit back and wait a couple of minutes, and you should see a successful message.

11-17-2013 9-00-24 PM

VUM Configuration

1. Launch the VMware vSphere Windows client and connect to your vCenter server. If you haven’t already installed the VUM plug-in, go to the Plug-ins menu and you should see a plug-in under “Available Plug-ins”. Click Download and Install. Run the installer using all default values. You can see below that I’ve already installed the extension.

11-17-2013 9-09-06 PM

2. After the Assuming the install goes well close the vSphere client. Reconnect to vCenter using the Windows vSphere Client. You should NOT get a SSL warning for vCenter or VUM. If you do get a SSL warning, something went wrong, or you also installed another service like Auto Deploy or a third-party plug-in that is untrusted.

11-17-2013 9-10-39 PM3. Depending on your server hardware vendor, you may want to add the HP depot URL to VUM so know when they release updated software. Unfortunately at this time I’m not aware of a Cisco VIB depot. Open the Admin View of VUM.

11-17-2013 9-17-45 PM

4. Once the VUM Admin page opens click on the Configuration tab. Select Download Settings. Click Add a Download Source and use the following URLs:

HP: http://vibsdepot.hp.com/index.xml

Dell: http://vmwaredepot.dell.com/index.xml

11-17-2013 9-22-39 PM

After you add the URL(s) it will appear the list. Click on the Download Now button. Monitor the Recent Tasks pane and wait for the download to complete.

11-17-2013 9-23-37 PM

5. After a bit of time your patch repository will be fully populated.

11-26-2013 7-49-47 PM

6. Next up I would suggest attaching VUM baselines to both your hosts and VMs. In the Hosts and Cluster view go to the VUM tab then attach a baseline. I’d recommend you check the two boxes shown below.

11-26-2013 7-47-30 PM

6. Switch to the VM and Templates view and attach the three provided baselines.

11-26-2013 7-48-24 PM

7. You can now perform VUM scans and check your compliance status.

VUM hasn’t undergone any visible changes in vSphere 5.5. So if you are accustomed to using VUM in previous releases, then you won’t have anything new to learn. You could also schedule weekly compliance scans and have reports emailed to you. One could also create custom baselines that are static, so that when new patches are downloaded you aren’t instantly out of compliance. VMware has stated VUM is dying, so I suspect in the 6.0 timeframe we will see an entirely new way to handle patches.

Next up in Part 19, learn how to update your ESXi host certificate.

vCenter 5.5 SSL Certificate and SQL Toolkit Updated

11-17-2013 7-03-32 PMFresh off the press is an updated version of my vCenter 5.5 SSL certificate Toolkit script. Last year when I did my popular vCenter 5.1 install series the posts contain a series of scripts and CLI commands to replace the SSL certificates. While that process worked for many people, it still was not as easy as it should be.

So for vCenter 5.5 I wrote a PowerShell script that did all the SSL certificate creation ‘magic’ in one place. In the intervening weeks since the first version went up, I’ve made a number of changes based on user feedback (and code submission) and my own development effort. I want to develop it further, but that will have to wait for a number of weeks while I complete a big project I’m working on. But for those that did download the first version and haven’t seen my Tweets about updates, I wanted a dedicated post to highlight the full feature set of v1.41 (November 10th).

The script is designed to be used in conjunction with the VMware vCenter certificate automation tool, NOT replace it. While that tool will create CSRs, I find it a bit cumbersome and does not help you in minting the certs. Regardless of what kind of CA you have, the script will help. The degree of automation varies, as the script is targeted for an online Microsoft CA. Once you use my tool to mint all of your certificates, then it’s a straight forward matter of using the VMware certificate tool to replace the self-signed certificates with your freshly minted ones.

As you will see in the feature list, the script goes beyond just SSL assistance and can also aid in your SQL database and DSN creation.

The script has the following features:

  • Downloads and installs the proper version of OpenSSL (0.9.8.Y) if it’s not already installed
  • Creates 2048 bit RSA private keys in the proper format
  • Creates a directory for each service bundle of SSL certificates
  • Generates ten OpenSSL configuration files, one for each certificate, in the appropriate directory
  • Creates certificates for AutoDeploy, Dump Collector and Syslog collector
  • Downloads both root and subordinate root public certificates
  • Submits the CSRs to the online CA and downloads the certificates
  • Creates the needed service PEM files for the vCenter certificate automation tool
  • Creates the required root/subordinate PEM files
  • Handles the special SSO 5.5 certificate requirements
  • Assumes all vCenter components are on one server
  • Automatically uses the hostname of the server you run the script on for all certificates
  • Creates a pre-filled vCenter Certificate Automation environment script – Just run!
  • Works with offline CAs
  • Creates SSO 5.5 certificate replacement files – Only used if manual replacing certs
  • Creates customized SQL vCenter and VUM database creation script
  • Creates SQL ODBC DSNs for vCenter and VUM
  • Automatically downloads and installs SQL 2008 R2 or SQL 2012 client package
  • Linux vCenter Server Appliance support for online minting and offline CSR creation
  • Creates certificates for Auto Deploy, Dump Collector and Syslog collector
  • Support Microsoft CAs that require manual certificate approval

On the potential roadmap is replacing the ESXi 5.x host certificates, and a bit more robust Linux VCSA support. A screenshot of the main menu is shown below.

As always you can download the latest version from: vExpert.me/toolkit55 It’s gotten over 1,500 downloads in the few weeks that its been available, which is great. Hopefully it is helping people install vCenter 5.5 and more easily configure trusted certificates. For instructions on how to use the tool and a change log, start in Part 8 of my vCenter 5.5 install series.

11-10-2013 5-29-56 PM

vSphere 5.5 Install Pt. 17: Install VUM

11-10-2013 1-43-42 PMSo yes, after a couple of weeks of pausing on the vSphere 5.5 series I’m back with installing VUM. The VUM install pretty much follows the process we had for vCenter 5.1. In case you haven’t heard, VUM is also growing feathers like the Windows VI client and will soon turn into a dodo bird. VMware hasn’t announced what is replacing it, but I suspect in vSphere 6.0 the new product will make a debut.

Blog Series

SQL 2012 AlwaysOn Failover Cluster for vCenter
vSphere 5.5 Install Pt. 1: Introduction 
vSphere 5.5 Install Pt. 2: SSO 5.5 Reborn 

vSphere 5.5 Install Pt. 3: vCenter Upgrade Best Practices and Tips
vSphere 5.5 Install Pt. 4: ESXi 5.5 Upgrade Best Practices and Tips 
vSphere 5.5 Install Pt. 5: SSL Deep Dive
vSphere 5.5 Install Pt. 6: SSL Certificate Template
vSphere 5.5 Install Pt. 7: Install SSO
vSphere 5.5 Install Pt. 8: Online SSL Minting
vSphere 5.5 Install Pt. 9: Offline SSL Minting 
vSphere 5.5 Install Pt. 10: Update SSO Certificate
vSphere 5.5 Install Pt. 11: Install Web Client
vSphere 5.5 Install Pt. 12: Configure SSO
vSphere 5.5 Install Pt. 13: Install Inventory Service
vSphere 5.5 Install Pt. 14: Create Databases
vSphere 5.5 Install Pt. 15: Install vCenter
vSphere 5.5 Install Pt. 16: vCenter SSL
vSphere 5.5 Install Pt. 17: Install VUM
vSphere 5.5 Install Pt. 18: VUM SSL
vSphere 5.5 Install Pt. 19: ESXi SSL Certificate

Permalink to this series: vexpert.me/Derek55
Permalink to the Toolkit script: vexpert.me/toolkit55

Installing VUM

1. Login to your vCenter server with your vCenter Windows service account and launch the VMware vSphere 5.5a (or later) installer. Select vSphere Update Manager in the left pane.

2. Select your language and click OK. Click through the wizard until you get to the Support Information screen. If your vCenter server has internet access, then you can leave the box checked to download updates. If it does not have access, then uncheck the box.

11-10-2013 11-26-34 AM

3. At this point you should use the built-in vSphere administrator account (administrator@vsphere.local). I had no luck in trying to get my domain vCenter service account to work (although comments from a prior post indicated it worked for them). If the installer hangs, then kill the vciInstallutils.exe process, completely exit the installer, and re-run the installer. It seems to cache failed responses, so even if you enter the right password the second time it may still fail.

11-10-2013 12-19-13 PM

4. The DSN should already be present from when we ran my Toolkit script, so nothing to do here but select it. Note: There is a KB article here that describes a problem with the VUM service starting if you use the SQL 2012 client. Personally I haven’t run into the problem. The solution is to use the SQL 2008 R2 client (paired with a SQL 2012 back-end if you have one) to allow the service to start.

11-10-2013 12-24-39 PM

5. Click through the wizard (you may get a SQL recovery mode warning) and on the Port Settings page I would recommend selecting the vCenter FQDN verses the IP address.

11-10-2013 12-27-05 PM

6. I strongly recommend you change the download path for patches. You don’t want to fill up your C drive.

11-10-2013 12-28-36 PM

7. After VUM has finished installing, we need to change the account under which the VUM service runs. Open the Service Manager and locate the VMware vSphere Update Manager service. Change the Log On account to that of your vCenter service account. Restart the service and verify it starts successfully.

11-10-2013 1-22-59 PM

Yup, it’s pretty easy. My biggest headache was finding an account that worked in Step 3. Thankfully the built-in SSO administrator account did the trick. Next up will be replacing the VUM SSL certificate. You can check that out in Part 18.

VMware Releases vCenter 5.5a

11-3-2013 8-51-23 PMFollowing last year’s pattern of ‘lettered’ vCenter updates, VMware has released vCenter 5.5a. (Note the ‘a’.) This addresses a number of issues, mostly with the SSO service. If you are using vCenter on Windows Server 2012, you will no longer have to download a patched DLL. You can find the full set of release notes here. Given these fixes, I would urge everyone to use the 5.5a media and get rid of your 5.5 GA media. I appreciate VMware releasing fixes, but it’s starting to bring back memories of 5.1 where there were ‘a’ and ‘b’ bug fix releases.

If you want the web’s most comprehensive vSphere 5.5 installation guide, check out my 16+ part install and upgrade series here.

Bug fixes in vCenter 5.5a:

  • Attempts to upgrade vCenter Single Sign-On (SSO) 5.1 Update 1 to version 5.5 might fail with error code 1603
  • Attempts to log in to the vCenter Server might be unsuccessful after you upgrade from vCenter Server 5.1 to 5.5
  • Unable to change the vCenter SSO administrator password on Windows in the vSphere Web Client after you upgrade to vCenter Server 5.5 or VCSA 5.5
  • VPXD service might fail due to MS SQL database deadlock for the issues with VPXD queries that run on VPX_EVENT and VPX_EVENT_ARG tables
  • Attempts to search the inventory in vCenter Server using vSphere Web Client with proper permissions might fail to return any results
  • vCenter Server 5.5 might fail to start after a vCenter Single Sign-On Server reboot
  • Unable to log in to vCenter Server Appliance 5.5 using domain credentials in vSphere Web Client with proper permission when the authenticated user is associated with a group name containing parentheses
  • Active Directory group users unable to log in to the vCenter Inventory Service 5.5 with vCenter Single Sign-On
  • Attempts to log in to vCenter Single Sign-On and vCenter Server might fail when there are multiple users with the same common name in the OpenLDAP directory service
  • Attempts to log in to vCenter Single Sign-On and vCenter Server might fail for OpenLDAP 2.4 directory service users who have attributes with multiple values attached to their account
  • Attempts to Log in to vCenter Server might fail for an OpenLDAP user whose account is not configured with a universally unique identifier (UUID)
  • Unable to add an Open LDAP provider as an identity source if the Base DN does not contain an “dc=” attribute
  • Active Directory authentication fails when vCenter Single Sign-On 5.5 runs on Windows Server 2012 and the AD Domain Controller is also on Windows Server 2012

vSphere 5.5 Install Pt. 16: vCenter SSL

10-12-2013 9-06-56 PMANow that vCenter is fully installed, now it’s time to replace the self-signed certificate for the vCenter service and Orchestrator. Since we’ve already replaced the other certificates (SSO, Inventory, etc.) this process is a piece of cake. If you haven’t been following this series to the letter and have all self-signed certificates, you will need to use the VMware Certificate automation tool planner and follow all 16+ steps. You can only take the ‘short cut’ method if all other certificates have been replaced per my guide.

Blog Series

SQL 2012 AlwaysOn Failover Cluster for vCenter
vSphere 5.5 Install Pt. 1: Introduction 
vSphere 5.5 Install Pt. 2: SSO 5.5 Reborn 

vSphere 5.5 Install Pt. 3: vCenter Upgrade Best Practices and Tips
vSphere 5.5 Install Pt. 4: ESXi 5.5 Upgrade Best Practices and Tips 
vSphere 5.5 Install Pt. 5: SSL Deep Dive
vSphere 5.5 Install Pt. 6: SSL Certificate Template
vSphere 5.5 Install Pt. 7: Install SSO
vSphere 5.5 Install Pt. 8: Online SSL Minting
vSphere 5.5 Install Pt. 9: Offline SSL Minting 
vSphere 5.5 Install Pt. 10: Update SSO Certificate
vSphere 5.5 Install Pt. 11: Install Web Client
vSphere 5.5 Install Pt. 12: Configure SSO
vSphere 5.5 Install Pt. 13: Install Inventory Service
vSphere 5.5 Install Pt. 14: Create Databases
vSphere 5.5 Install Pt. 15: Install vCenter
vSphere 5.5 Install Pt. 16: vCenter SSL
vSphere 5.5 Install Pt. 17: Install VUM
vSphere 5.5 Install Pt. 18: VUM SSL
vSphere 5.5 Install Pt. 19: ESXi SSL Certificate

Permalink to this series: vexpert.me/Derek55
Permalink to the Toolkit script: vexpert.me/toolkit55

Automated vCenter SSL

1. From an elevated command prompt run the VMware certificate automation tool. Select Option 5.

10-12-2013 9-10-41 PM

2. On the vCenter menu select Option 2.

10-12-2013 9-11-23 PM

3. Answer all of the questions according to your environment. The certificate paths should already be configured if you used my Toolkit script. The vCenter server database password is the password to your vCenter service account. Make sure you enter it correctly or you may be left with a smoking vCenter hole.

10-12-2013 9-21-36 PM

Automated vCenter Orchestrator SSL

1. From the main menu select Option 6, then select option 3.

10-12-2013 10-11-21 PM

Health Check

1. Login to the vSphere Web client with the administrator@vsphere.local account. In the left pane click on the vCenter object. Click on Hosts and Clusters, then on the Monitor tab click Service Health.

10-22-2013 9-04-47 PM

If everything went well, all services should be green. If you service list is empty, then wait a minute or two, then click on the refresh Circle/Arrow in the upper right corner. If some services are in an unhealthy state, then reboot your vCenter server. Wait 10 minutes after the reboot, then check back on this page. Profile Driven Storage was a little stubborn for me, but a reboot and patience worked.

10-22-2013 9-05-42 PM

Summary

Yes, we are finally here! You have a fully working vCenter Server on Windows Server 2012, plus all trusted SSL certificates. If all of your services came up healthy, then you should be good to go. But wait..we still have VUM to install, configure, and secure. Plus those pesky ESXi hosts all need SSL certificates too. Check out the VUM install in Part 17.

vSphere 5.5 Install Pt. 15: Install vCenter

10-12-2013 8-30-50 PMThe previous 14 installments have all been leading up to this, installing vCenter. Yes, we are finally here. In this post we install vCenter, the windows vSphere client, fix profile driven storage, and configure vCenter to support a clustered SQL database. This post is not the end of the road, as we still need to secure vCenter with trusted SSL certificates and secure our ESXi servers.

Blog Series

SQL 2012 AlwaysOn Failover Cluster for vCenter
vSphere 5.5 Install Pt. 1: Introduction 
vSphere 5.5 Install Pt. 2: SSO 5.5 Reborn 

vSphere 5.5 Install Pt. 3: vCenter Upgrade Best Practices and Tips
vSphere 5.5 Install Pt. 4: ESXi 5.5 Upgrade Best Practices and Tips 
vSphere 5.5 Install Pt. 5: SSL Deep Dive
vSphere 5.5 Install Pt. 6: SSL Certificate Template
vSphere 5.5 Install Pt. 7: Install SSO
vSphere 5.5 Install Pt. 8: Online SSL Minting
vSphere 5.5 Install Pt. 9: Offline SSL Minting 
vSphere 5.5 Install Pt. 10: Update SSO Certificate
vSphere 5.5 Install Pt. 11: Install Web Client
vSphere 5.5 Install Pt. 12: Configure SSO
vSphere 5.5 Install Pt. 13: Install Inventory Service
vSphere 5.5 Install Pt. 14: Create Databases
vSphere 5.5 Install Pt. 15: Install vCenter
vSphere 5.5 Install Pt. 16: vCenter SSL
vSphere 5.5 Install Pt. 17: Install VUM
vSphere 5.5 Install Pt. 18: VUM SSL
vSphere 5.5 Install Pt. 19: ESXi SSL Certificate

Permalink to this series: vexpert.me/Derek55
Permalink to the Toolkit script: vexpert.me/toolkit55

Install vCenter

1. If you are continuing from the last installment, then you should be logged into your vCenter server as the vCenter service account. If not, login as the vCenter service account. This is very important!

2. Launch the vSphere 5.5 installer and select vCenter Server.

10-12-2013 8-34-20 PM3. Go through the wizard until you get to the license key window. Enter a valid vCenter 5.x license key. Or, you can skip that screen for evaluation mode.

10-12-2013 8-35-55 PM

4. On the database option screen change the option to use an existing database. Your DSN should be listed from the pull down menu.

10-12-2013 8-37-23 PM

5. Since we are logged in with out service account and using Windows authentication we can’t change any options here.

10-12-2013 8-38-43 PM

6. You may get a warning about the recover model for your SQL database. If you use Full Recovery mode then you need to do regular backups to clear the logs. If you are in a lab or home environment you may want to change it to simple. Consult your DBA for best practices in your production environment.

10-12-2013 8-39-43 PM7. Enter the service account password.

10-12-2013 8-42-13 PM

8. Choose whether you want a standalone vCenter instance or linked mode. Remember Linked Mode can only interoperate with vCenters at the same release level.

10-12-2013 8-44-27 PM

9. Review the port numbers, but I would not change any of them.

10-12-2013 8-45-52 PM

10. Choose the inventory size based on your environment.

10-12-2013 8-46-47 PM

11. Enter the SSO password that you used during the SSO configuration.

10-12-2013 8-47-43 PM

12. Again, a thumbprint of the SSO certificate is shown. You should have memorized it by now and can verify it without referring back to the certificate.

10-12-2013 8-50-56 PM

13. I recommend leaving the administrator@vsphere.local default. Later on we will configure a delegate group for vCenter access.

10-12-2013 8-51-57 PM

14. Confirm the Inventory Service settings.

10-12-2013 8-53-29 PM

15. Confirm the installation directory then click Install.

10-12-2013 8-54-44 PM

16. After several minutes vCenter should successfully install.

Install vSphere Client

Although VMware is really limiting what you can do with the Windows vSphere client, it is still needed for some functionality such as VUM remediation, SRM, and connecting to ESXi hosts. So go back to the vSphere 5.5 installer and install the vSphere Client.

10-12-2013 9-55-49 PM

After you install and launch the client you will see a big warning on the login window. Clearly, the Windows VI is going to suffer a mob hit in the near future and end up in an unmarked grave. So learn the web client, and remember HW v10 VMs can only be modified via the web client.

10-21-2013 9-03-26 PM

Profile Driven Storage

If you are installing vCenter under a Windows service account, then we need to make a tweak to the Profile Driven Storage service. The installer configures it to run under Local System privileges, but that doesn’t work to well.

10-12-2013 10-05-25 PM

Open the service properties and change the Log On to use your vCenter service account. Restart the service.

Database Clustering

If you are clustering your SQL database, then we need to make a manual configuration change to vCenter. I’m assuming since supporting clustering was a last minute addition, they didn’t have time to add GUI option to the installer. If you are using a standalone SQL server, skip this section.

1. Navigate to C:\ProgramData\VMware\VMware VirtualCenter and make a backup of the vpxd.cfg file.

2. Stop the VMware VirtualCenter Server service. It make take a few minutes for it to stop.

3. Open the vpxd.cfg file in Wordpad (NOT Notepad). Scroll down and find the <vpxd> tag. Insert the three lines which I have highlighted below.

10-21-2013 8-51-16 PM

4. Save the file (without any text formatting), then restart the VMware VirtualCenter Server and VMware VirtualCenter Management Webserver services.

5. Log into the vSphere Web Client and verify that you can see your vCenter server and inventory.

Summary

In this post we installed  vCenter, fixed a permission bug with the profile driven storage service, and enabled SQL clustering support. What’s left to do? Secure vCenter with trusted SSL certificates, install VUM, and secure our ESXi hosts. Check out vCenter SSL in Part 16.

vSphere 5.5 Install Pt. 14: Create Databases

10-12-2013 6-35-21 PMWe are just one post away from installing the actual vCenter service! Now that the rest of the infrastructure is ready, we need to create a service account, databases and DSNs. After all of these steps are completed we can rejoice and very shortly have a working vCenter server.

Remember that database sizing is highly dependent on your environment, and DBA preferences. So be sure to use a sizing tool (such as the one included in vCenter), and the VMware VUM sizing estimator tool. You neither want to way oversize or undersize your databases. I’m also opting to use a Windows service account for the ODBC authentication mechanism. While this is not required, I’ve done this for years and think it’s a best practice.

I’ve updated my Toolkit script to v1.2, which includes the SQL and DSN creation options. Please download the latest version from the link below.

Blog Series

SQL 2012 AlwaysOn Failover Cluster for vCenter
vSphere 5.5 Install Pt. 1: Introduction 
vSphere 5.5 Install Pt. 2: SSO 5.5 Reborn 

vSphere 5.5 Install Pt. 3: vCenter Upgrade Best Practices and Tips
vSphere 5.5 Install Pt. 4: ESXi 5.5 Upgrade Best Practices and Tips 
vSphere 5.5 Install Pt. 5: SSL Deep Dive
vSphere 5.5 Install Pt. 6: SSL Certificate Template
vSphere 5.5 Install Pt. 7: Install SSO
vSphere 5.5 Install Pt. 8: Online SSL Minting
vSphere 5.5 Install Pt. 9: Offline SSL Minting 
vSphere 5.5 Install Pt. 10: Update SSO Certificate
vSphere 5.5 Install Pt. 11: Install Web Client
vSphere 5.5 Install Pt. 12: Configure SSO
vSphere 5.5 Install Pt. 13: Install Inventory Service
vSphere 5.5 Install Pt. 14: Create Databases
vSphere 5.5 Install Pt. 15: Install vCenter
vSphere 5.5 Install Pt. 16: vCenter SSL
vSphere 5.5 Install Pt. 17: Install VUM
vSphere 5.5 Install Pt. 18: VUM SSL
vSphere 5.5 Install Pt. 19: ESXi SSL Certificate

Permalink to this series: vexpert.me/Derek55
Permalink to the Toolkit script: vexpert.me/toolkit55

Create vCenter Service Account

1. In active Directory create a vCenter service account. Make sure the password is set to not expire and use a complex password.

2. Add the service account to the local administrator’s group on the vCenter server. You need to directly add the service account into the Administrator’s group. Nested group membership seems to cause the installer problems.

10-12-2013 10-02-30 PM

3. Make sure the service account has Act as part of the operating system user right.

10-12-2013 8-01-52 PM

4. For the user right to take effect you must reboot your vCenter server. Please reboot now, then login as the service account before proceeding.

Create vCenter and VUM Databases

1. Make sure you are logged in as your vCenter service account before proceeding. Run v1.2 or later of my Toolkit script (See Part 8 for more details) and on the main menu select the Create vCenter and VUM SQL database file option. You can download the Toolkit script from the link in the top of this post.

10-12-2013 7-42-51 PM

2. After you select that option you will be prompted for a few database details. Enter the vCenter and VUM database names along with your vCenter service account name. Copy the file to your SQL server and open it in SQL Server Management Studio.

10-20-2013 6-59-54 PM

3. Once the script is open, change any additional parameters such as database sizes and paths. If you followed my SQL 2012 Failover Cluster series, the paths in the sample file should match your installation. Both the vCenter and VUM databases are configured in this script. Execute the script.

10-16-2013 8-51-15 PM

Create DSNs

Note: There is a bug in vSphere 5.5 which causes the VUM service to fail if the SQL 2012 ODBC connector is used. You must use the SQL 2008 R2 SP2 native client, even if the SQL server is 2012. I haven’t updated my Toolkit script to address this issue, so please select SQL 2008 during the DSN creation.

1. vCenter and VUM use an ODBC connector to communicate to the SQL server. The ODBC connector needs the native SQL client to communicate to the SQL server. My Toolkit script (see link above) will download and install the right native SQL client, if your vCenter server has internet connectivity. If it does not, just download the right client below and install it. The Toolkit will detect it’s installed and won’t nag you to install it.

64-bit Microsoft SQL Server 2008 R2 SP2 native client
64-bit Microsoft SQL Server 2012 SP1 native client

2. Launch my Toolkit script and select the Create vCenter DSN option.

10-12-2013 7-52-33 PM

3. The script will prompt you with a series of questions so that it can create the 64-bit system DSN. Answer according to your environment. Only select the SSL option if you’ve configured your SQL server for SSL encryption. It must be enabled on the SQL side or the connector will fail.

10-12-2013 7-54-40 PM

4. Repeat the process for the VUM DSN, but select option 7 instead.

5. Open the Windows Server Manager and from the Tools menu select ODBC Data Sources (64-bit). You should see two System DSNs listed, one 64-bit and one 32-bit.

10-12-2013 8-13-34 PM

6. Click on the vCenter Server entry and then click Configure. Run through the wizard until you get to the final page. Validate the settings all look correct.

10-12-2013 8-17-15 PM

7. Click on Test Data source and verify the test is successful. If it is not, then you probably goofed up the server name, database name, permissions, or the SQL firewall is not allowing the connection. Remember if you are clustering the SQL database to configure firewall rules on BOTH nodes.

10-12-2013 8-18-45 PM

8. Close the 64-bit ODBC tool and Open the 32-bit ODBC tool from the Server Manager Tools menu. Repeat the verification process on the VUM database.

Summary

Now that we have a working service account, created our databases, and configured the ODBC connector we are ready to install vCenter. So yes, that’s coming up in Part 15.

vSphere 5.5 Install Pt. 13: Install Inventory Svc

10-12-2013 11-53-39 AMThe vCenter inventory service has two primary purposes in life. First, it’s a cache of objects which the web client accesses. This cache enables the offloading of retrieving objects from the vCenter core service (vpxd). This can also lessen the load on your back-end database if the vCenter service isn’t constantly doing queries (most of which are reads). The legacy Windows VI client does not use the inventory service, which is why it can get pokey in very large environments. It also has an effect of reducing vCenter CPU utilization, allowing more client sessions.

Following VMware’s new guidance for vCenter 5.5, we are installing the inventory service on the same VM as vCenter. You should KISS your vCenter folks. In this post we will install the inventory service and secure it with a trusted SSL certificate.

Blog Series

SQL 2012 AlwaysOn Failover Cluster for vCenter
vSphere 5.5 Install Pt. 1: Introduction 
vSphere 5.5 Install Pt. 2: SSO 5.5 Reborn 

vSphere 5.5 Install Pt. 3: vCenter Upgrade Best Practices and Tips
vSphere 5.5 Install Pt. 4: ESXi 5.5 Upgrade Best Practices and Tips 
vSphere 5.5 Install Pt. 5: SSL Deep Dive
vSphere 5.5 Install Pt. 6: SSL Certificate Template
vSphere 5.5 Install Pt. 7: Install SSO
vSphere 5.5 Install Pt. 8: Online SSL Minting
vSphere 5.5 Install Pt. 9: Offline SSL Minting 
vSphere 5.5 Install Pt. 10: Update SSO Certificate
vSphere 5.5 Install Pt. 11: Install Web Client
vSphere 5.5 Install Pt. 12: Configure SSO
vSphere 5.5 Install Pt. 13: Install Inventory Service
vSphere 5.5 Install Pt. 14: Create Databases
vSphere 5.5 Install Pt. 15: Install vCenter
vSphere 5.5 Install Pt. 16: vCenter SSL
vSphere 5.5 Install Pt. 17: Install VUM
vSphere 5.5 Install Pt. 18: VUM SSL
vSphere 5.5 Install Pt. 19: ESXi SSL Certificate

Permalink to this series: vexpert.me/Derek55
Permalink to the Toolkit script: vexpert.me/toolkit55

Install Inventory Service

1. Mount the vCenter ISO if it’s not still mounted from the previous installs. Start the installer and select the vCenter Inventory Service.

10-12-2013 11-58-27 AM

2. Click through the wizard until you get to the Destination Folder. Because the web client only works on the C drive, I’ve resigned myself to putting everything on the C drive. So I left this the default.

10-12-2013 12-06-33 PM

3. Validate that the FQDN of the local server is correct.

10-12-2013 12-12-37 PM

4. I’d leave all the default port numbers.

10-12-2013 12-13-48 PM

5. The JVM memory will greatly depend on your environment. Do not skimp here, as memory is critical for performance. Remember to possibly adjust your vCenter VM’s memory here if you select medium or large. vCenter 5.5 all-in-one servers LOVE memory.

10-12-2013 12-15-17 PM

6. Enter your vCenter SSO password and validate the lookup service URL is correct.

10-12-2013 12-16-50 PM

7. Just like the web client it presents the thumbprint of your SSO SSL certificate. That’s the same value as before, so I’m not going to cover how to look it up again.

10-12-2013 12-19-21 PM

8. At this point a Ready to Install box should appear. Click Install and wait a few minutes.

Automated Inventory Service SSL

Note: I’m assuming here you are following this guide to the letter and replacing SSL certificates as we go. By doing this we can skip some steps in the VMware tool that are needed if doing SSL replacement post-full installs. If you are replacing certs at the end of a complete vCenter install, you must follow the planner steps in the VMware tool.

1. Open elevated command prompt (not PowerShell) and launch the VMware SSL replacement tool. Select Option 4 from the main menu.

10-12-2013 12-42-45 PM

2. All we need to do here is update the SSL certificate.

10-12-2013 12-44-44 PM

3. If everything goes well, it will successfully replace the certificate.

10-12-2013 12-49-47 PM

4. To validate the certificate has been updated you can go to https://YourvCenterServer:10443. You will see a ‘HTTP status 400 – Bad Request” but that’s normal since we didn’t pass it any data. What counts is that it responds, and that the cert is trusted. If you get some other error or the certificate is wrong, then something went terribly, terribly wrong.

10-12-2013 12-58-03 PM

Summary

The inventory service is easy to install, and easy to secure with custom SSL certificates. You can also quickly check the health with a simple web browser. So this is one of the easiest services to install and configure. Next up in Part 14 is configuring your SQL databases and DSNs so we can finally get to installing vCenter.

vSphere 5.5 Install Pt. 12: Configure SSO

10-12-2013 8-02-44 AMNow that the SSO service and web client are installed, it’s time to do a little SSO configuration. In this installment we will configure the SSO STS certificate chain, add an Active Directory identity and source, and delegate SSO administrative rights to a AD group.

If you recall the vCenter 5.1 installation order, you will realize they’ve now moved up the web client install. This was done consciously so you could troubleshoot/configure the SSO service prior to vCenter being installed. Great idea VMware!

Blog Series

SQL 2012 AlwaysOn Failover Cluster for vCenter
vSphere 5.5 Install Pt. 1: Introduction
vSphere 5.5 Install Pt. 2: SSO 5.5 Reborn 
vSphere 5.5 Install Pt. 3: vCenter Upgrade Best Practices and Tips
vSphere 5.5 Install Pt. 4: ESXi 5.5 Upgrade Best Practices and Tips 
vSphere 5.5 Install Pt. 5: SSL Deep Dive
vSphere 5.5 Install Pt. 6: SSL Certificate Template
vSphere 5.5 Install Pt. 7: Install SSO
vSphere 5.5 Install Pt. 8: Online SSL Minting
vSphere 5.5 Install Pt. 9: Offline SSL Minting
vSphere 5.5 Install Pt. 10: Update SSO Certificate
vSphere 5.5 Install Pt. 11: Install Web Client
vSphere 5.5 Install Pt. 12: Configure SSO
vSphere 5.5 Install Pt. 13: Install Inventory Service
vSphere 5.5 Install Pt. 14: Create Databases
vSphere 5.5 Install Pt. 15: Install vCenter
vSphere 5.5 Install Pt. 16: vCenter SSL
vSphere 5.5 Install Pt. 17: Install VUM
vSphere 5.5 Install Pt. 18: VUM SSL
vSphere 5.5 Install Pt. 19: ESXi SSL Certificate

Permalink to this series: vexpert.me/Derek55
Permalink to the Toolkit script: vexpert.me/toolkit55

Configure SSO STS Chain

For some reason the VMware certificate tool does not automatically import the trusted CA chain into the SSO STS store. So we need to manually do that. My Toolkit script creates the complex Java keystore file, which is quite tedious. See Part 8 for the low down on my vCenter 5.5 Toolkit script. So all we need to do here is import the Java keystore file. I’m opting to leave the default self-signed chain in place, just in case there is a dependency.

1. Login to the vSphere web client with the administrator@vsphere.local account. In the left pane click Administration.

10-12-2013 8-04-42 AM

2. Under Single Sign-On click Configuration. Then click on the Certificates tab and then STS Signing.

10-12-2013 8-08-04 AM

3. Click on the green Plus sign and navigate to the vCenterSSO certificate directory the Toolkit script created. Select the server-identity.jks file. When prompted for a password enter testpassword.

10-12-2013 8-10-08 AM

4. Depending on your CA configuration you should see two or three certificates listed. In my case I have three, since I have a root and intermediate CA. Click on the ssoserver line and then click OK. Enter testpassword again.

10-12-2013 8-12-34 AM

If the import is successful you should see two certificate chains.

10-12-2013 8-14-37 AM

5. Reboot your vCenter server so that all the services are refreshed and pickup the new certificate chain.

Add Identity Source

In vSphere 5.5 your Active Directory identity source is not automatically added. So we will need to add AD as a source so you can authenticate with domain-based accounts.

1. Login to the vSphere web client, in the left pane click on Administration. Under Single Sign-On click Configuration. Click on Identity Sources in the middle pane.

10-12-2013 8-40-28 AM

2. Click on the green plus sign. If you want rich Active Directory support then choose Active Directory (integrated Windows Authentication). Chosing Active Directory as LDAP Server is for 5.1 backwards compatibility and should NOT be used. You will have issues with domain trusts, etc. Should be avoided!

10-12-2013 8-39-34 AM

3. After the source is added you should see three Identity Sources.

10-12-2013 8-43-30 AM

Delegate SSO Admin Rights

1. Create a group in Active Directory that you want to delegate SSO administrator rights too. In my case the group is called APP_VCTR_SSO_Admin. You can use whatever name you wish. Put your account into that group.

1. On the Groups tab click on Administrators, then in the lower Group Members pane click on the Blue Man Group person.

10-12-2013 8-59-54 AM

2. Change the domain to your AD domain, then find your group. Highlight the group then click on Add. Then you can click on OK to add the group.

10-12-2013 9-12-39 AM

3. If you log out of Windows then log back in (to refresh your group membership), you should now be able to use the Windows credential option to access the vSphere web client. The first time you try it a warning message will likely appear. I would uncheck the Always Ask box unless you like exercising your fingers.

10-12-2013 11-34-48 AM

10-12-2013 11-25-55 AM

Summary

Configuring some basic SSO settings is not rocket science, but common to many environments. At a minimum you need to import the SSO STS certificate chain. Nearly everyone has AD, so adding the more intelligent SSO 5.5 AD identity source will be on everyone’s agenda. Shared accounts are never a good idea, so setting up a group for SSO admin delegation is a great idea.

Next up in lucky Part 13 we install the Inventory Service and secure it with trusted SSL certificates.

© 2017 - Sitemap