Archives for October 2013

vSphere 5.5 Install Pt. 16: vCenter SSL

10-12-2013 9-06-56 PMANow that vCenter is fully installed, now it’s time to replace the self-signed certificate for the vCenter service and Orchestrator. Since we’ve already replaced the other certificates (SSO, Inventory, etc.) this process is a piece of cake. If you haven’t been following this series to the letter and have all self-signed certificates, you will need to use the VMware Certificate automation tool planner and follow all 16+ steps. You can only take the ‘short cut’ method if all other certificates have been replaced per my guide.

Blog Series

SQL 2012 AlwaysOn Failover Cluster for vCenter
vSphere 5.5 Install Pt. 1: Introduction 
vSphere 5.5 Install Pt. 2: SSO 5.5 Reborn 

vSphere 5.5 Install Pt. 3: vCenter Upgrade Best Practices and Tips
vSphere 5.5 Install Pt. 4: ESXi 5.5 Upgrade Best Practices and Tips 
vSphere 5.5 Install Pt. 5: SSL Deep Dive
vSphere 5.5 Install Pt. 6: SSL Certificate Template
vSphere 5.5 Install Pt. 7: Install SSO
vSphere 5.5 Install Pt. 8: Online SSL Minting
vSphere 5.5 Install Pt. 9: Offline SSL Minting 
vSphere 5.5 Install Pt. 10: Update SSO Certificate
vSphere 5.5 Install Pt. 11: Install Web Client
vSphere 5.5 Install Pt. 12: Configure SSO
vSphere 5.5 Install Pt. 13: Install Inventory Service
vSphere 5.5 Install Pt. 14: Create Databases
vSphere 5.5 Install Pt. 15: Install vCenter
vSphere 5.5 Install Pt. 16: vCenter SSL
vSphere 5.5 Install Pt. 17: Install VUM
vSphere 5.5 Install Pt. 18: VUM SSL
vSphere 5.5 Install Pt. 19: ESXi SSL Certificate

Permalink to this series: vexpert.me/Derek55
Permalink to the Toolkit script: vexpert.me/toolkit55

Automated vCenter SSL

1. From an elevated command prompt run the VMware certificate automation tool. Select Option 5.

10-12-2013 9-10-41 PM

2. On the vCenter menu select Option 2.

10-12-2013 9-11-23 PM

3. Answer all of the questions according to your environment. The certificate paths should already be configured if you used my Toolkit script. The vCenter server database password is the password to your vCenter service account. Make sure you enter it correctly or you may be left with a smoking vCenter hole.

10-12-2013 9-21-36 PM

Automated vCenter Orchestrator SSL

1. From the main menu select Option 6, then select option 3.

10-12-2013 10-11-21 PM

Health Check

1. Login to the vSphere Web client with the administrator@vsphere.local account. In the left pane click on the vCenter object. Click on Hosts and Clusters, then on the Monitor tab click Service Health.

10-22-2013 9-04-47 PM

If everything went well, all services should be green. If you service list is empty, then wait a minute or two, then click on the refresh Circle/Arrow in the upper right corner. If some services are in an unhealthy state, then reboot your vCenter server. Wait 10 minutes after the reboot, then check back on this page. Profile Driven Storage was a little stubborn for me, but a reboot and patience worked.

10-22-2013 9-05-42 PM

Summary

Yes, we are finally here! You have a fully working vCenter Server on Windows Server 2012, plus all trusted SSL certificates. If all of your services came up healthy, then you should be good to go. But wait..we still have VUM to install, configure, and secure. Plus those pesky ESXi hosts all need SSL certificates too. Check out the VUM install in Part 17.

vSphere 5.5 Install Pt. 15: Install vCenter

10-12-2013 8-30-50 PMThe previous 14 installments have all been leading up to this, installing vCenter. Yes, we are finally here. In this post we install vCenter, the windows vSphere client, fix profile driven storage, and configure vCenter to support a clustered SQL database. This post is not the end of the road, as we still need to secure vCenter with trusted SSL certificates and secure our ESXi servers.

Blog Series

SQL 2012 AlwaysOn Failover Cluster for vCenter
vSphere 5.5 Install Pt. 1: Introduction 
vSphere 5.5 Install Pt. 2: SSO 5.5 Reborn 

vSphere 5.5 Install Pt. 3: vCenter Upgrade Best Practices and Tips
vSphere 5.5 Install Pt. 4: ESXi 5.5 Upgrade Best Practices and Tips 
vSphere 5.5 Install Pt. 5: SSL Deep Dive
vSphere 5.5 Install Pt. 6: SSL Certificate Template
vSphere 5.5 Install Pt. 7: Install SSO
vSphere 5.5 Install Pt. 8: Online SSL Minting
vSphere 5.5 Install Pt. 9: Offline SSL Minting 
vSphere 5.5 Install Pt. 10: Update SSO Certificate
vSphere 5.5 Install Pt. 11: Install Web Client
vSphere 5.5 Install Pt. 12: Configure SSO
vSphere 5.5 Install Pt. 13: Install Inventory Service
vSphere 5.5 Install Pt. 14: Create Databases
vSphere 5.5 Install Pt. 15: Install vCenter
vSphere 5.5 Install Pt. 16: vCenter SSL
vSphere 5.5 Install Pt. 17: Install VUM
vSphere 5.5 Install Pt. 18: VUM SSL
vSphere 5.5 Install Pt. 19: ESXi SSL Certificate

Permalink to this series: vexpert.me/Derek55
Permalink to the Toolkit script: vexpert.me/toolkit55

Install vCenter

1. If you are continuing from the last installment, then you should be logged into your vCenter server as the vCenter service account. If not, login as the vCenter service account. This is very important!

2. Launch the vSphere 5.5 installer and select vCenter Server.

10-12-2013 8-34-20 PM3. Go through the wizard until you get to the license key window. Enter a valid vCenter 5.x license key. Or, you can skip that screen for evaluation mode.

10-12-2013 8-35-55 PM

4. On the database option screen change the option to use an existing database. Your DSN should be listed from the pull down menu.

10-12-2013 8-37-23 PM

5. Since we are logged in with out service account and using Windows authentication we can’t change any options here.

10-12-2013 8-38-43 PM

6. You may get a warning about the recover model for your SQL database. If you use Full Recovery mode then you need to do regular backups to clear the logs. If you are in a lab or home environment you may want to change it to simple. Consult your DBA for best practices in your production environment.

10-12-2013 8-39-43 PM7. Enter the service account password.

10-12-2013 8-42-13 PM

8. Choose whether you want a standalone vCenter instance or linked mode. Remember Linked Mode can only interoperate with vCenters at the same release level.

10-12-2013 8-44-27 PM

9. Review the port numbers, but I would not change any of them.

10-12-2013 8-45-52 PM

10. Choose the inventory size based on your environment.

10-12-2013 8-46-47 PM

11. Enter the SSO password that you used during the SSO configuration.

10-12-2013 8-47-43 PM

12. Again, a thumbprint of the SSO certificate is shown. You should have memorized it by now and can verify it without referring back to the certificate.

10-12-2013 8-50-56 PM

13. I recommend leaving the administrator@vsphere.local default. Later on we will configure a delegate group for vCenter access.

10-12-2013 8-51-57 PM

14. Confirm the Inventory Service settings.

10-12-2013 8-53-29 PM

15. Confirm the installation directory then click Install.

10-12-2013 8-54-44 PM

16. After several minutes vCenter should successfully install.

Install vSphere Client

Although VMware is really limiting what you can do with the Windows vSphere client, it is still needed for some functionality such as VUM remediation, SRM, and connecting to ESXi hosts. So go back to the vSphere 5.5 installer and install the vSphere Client.

10-12-2013 9-55-49 PM

After you install and launch the client you will see a big warning on the login window. Clearly, the Windows VI is going to suffer a mob hit in the near future and end up in an unmarked grave. So learn the web client, and remember HW v10 VMs can only be modified via the web client.

10-21-2013 9-03-26 PM

Profile Driven Storage

If you are installing vCenter under a Windows service account, then we need to make a tweak to the Profile Driven Storage service. The installer configures it to run under Local System privileges, but that doesn’t work to well.

10-12-2013 10-05-25 PM

Open the service properties and change the Log On to use your vCenter service account. Restart the service.

Database Clustering

If you are clustering your SQL database, then we need to make a manual configuration change to vCenter. I’m assuming since supporting clustering was a last minute addition, they didn’t have time to add GUI option to the installer. If you are using a standalone SQL server, skip this section.

1. Navigate to C:\ProgramData\VMware\VMware VirtualCenter and make a backup of the vpxd.cfg file.

2. Stop the VMware VirtualCenter Server service. It make take a few minutes for it to stop.

3. Open the vpxd.cfg file in Wordpad (NOT Notepad). Scroll down and find the <vpxd> tag. Insert the three lines which I have highlighted below.

10-21-2013 8-51-16 PM

4. Save the file (without any text formatting), then restart the VMware VirtualCenter Server and VMware VirtualCenter Management Webserver services.

5. Log into the vSphere Web Client and verify that you can see your vCenter server and inventory.

Summary

In this post we installed  vCenter, fixed a permission bug with the profile driven storage service, and enabled SQL clustering support. What’s left to do? Secure vCenter with trusted SSL certificates, install VUM, and secure our ESXi hosts. Check out vCenter SSL in Part 16.

vSphere 5.5 Install Pt. 14: Create Databases

10-12-2013 6-35-21 PMWe are just one post away from installing the actual vCenter service! Now that the rest of the infrastructure is ready, we need to create a service account, databases and DSNs. After all of these steps are completed we can rejoice and very shortly have a working vCenter server.

Remember that database sizing is highly dependent on your environment, and DBA preferences. So be sure to use a sizing tool (such as the one included in vCenter), and the VMware VUM sizing estimator tool. You neither want to way oversize or undersize your databases. I’m also opting to use a Windows service account for the ODBC authentication mechanism. While this is not required, I’ve done this for years and think it’s a best practice.

I’ve updated my Toolkit script to v1.2, which includes the SQL and DSN creation options. Please download the latest version from the link below.

Blog Series

SQL 2012 AlwaysOn Failover Cluster for vCenter
vSphere 5.5 Install Pt. 1: Introduction 
vSphere 5.5 Install Pt. 2: SSO 5.5 Reborn 

vSphere 5.5 Install Pt. 3: vCenter Upgrade Best Practices and Tips
vSphere 5.5 Install Pt. 4: ESXi 5.5 Upgrade Best Practices and Tips 
vSphere 5.5 Install Pt. 5: SSL Deep Dive
vSphere 5.5 Install Pt. 6: SSL Certificate Template
vSphere 5.5 Install Pt. 7: Install SSO
vSphere 5.5 Install Pt. 8: Online SSL Minting
vSphere 5.5 Install Pt. 9: Offline SSL Minting 
vSphere 5.5 Install Pt. 10: Update SSO Certificate
vSphere 5.5 Install Pt. 11: Install Web Client
vSphere 5.5 Install Pt. 12: Configure SSO
vSphere 5.5 Install Pt. 13: Install Inventory Service
vSphere 5.5 Install Pt. 14: Create Databases
vSphere 5.5 Install Pt. 15: Install vCenter
vSphere 5.5 Install Pt. 16: vCenter SSL
vSphere 5.5 Install Pt. 17: Install VUM
vSphere 5.5 Install Pt. 18: VUM SSL
vSphere 5.5 Install Pt. 19: ESXi SSL Certificate

Permalink to this series: vexpert.me/Derek55
Permalink to the Toolkit script: vexpert.me/toolkit55

Create vCenter Service Account

1. In active Directory create a vCenter service account. Make sure the password is set to not expire and use a complex password.

2. Add the service account to the local administrator’s group on the vCenter server. You need to directly add the service account into the Administrator’s group. Nested group membership seems to cause the installer problems.

10-12-2013 10-02-30 PM

3. Make sure the service account has Act as part of the operating system user right.

10-12-2013 8-01-52 PM

4. For the user right to take effect you must reboot your vCenter server. Please reboot now, then login as the service account before proceeding.

Create vCenter and VUM Databases

1. Make sure you are logged in as your vCenter service account before proceeding. Run v1.2 or later of my Toolkit script (See Part 8 for more details) and on the main menu select the Create vCenter and VUM SQL database file option. You can download the Toolkit script from the link in the top of this post.

10-12-2013 7-42-51 PM

2. After you select that option you will be prompted for a few database details. Enter the vCenter and VUM database names along with your vCenter service account name. Copy the file to your SQL server and open it in SQL Server Management Studio.

10-20-2013 6-59-54 PM

3. Once the script is open, change any additional parameters such as database sizes and paths. If you followed my SQL 2012 Failover Cluster series, the paths in the sample file should match your installation. Both the vCenter and VUM databases are configured in this script. Execute the script.

10-16-2013 8-51-15 PM

Create DSNs

Note: There is a bug in vSphere 5.5 which causes the VUM service to fail if the SQL 2012 ODBC connector is used. You must use the SQL 2008 R2 SP2 native client, even if the SQL server is 2012. I haven’t updated my Toolkit script to address this issue, so please select SQL 2008 during the DSN creation.

1. vCenter and VUM use an ODBC connector to communicate to the SQL server. The ODBC connector needs the native SQL client to communicate to the SQL server. My Toolkit script (see link above) will download and install the right native SQL client, if your vCenter server has internet connectivity. If it does not, just download the right client below and install it. The Toolkit will detect it’s installed and won’t nag you to install it.

64-bit Microsoft SQL Server 2008 R2 SP2 native client
64-bit Microsoft SQL Server 2012 SP1 native client

2. Launch my Toolkit script and select the Create vCenter DSN option.

10-12-2013 7-52-33 PM

3. The script will prompt you with a series of questions so that it can create the 64-bit system DSN. Answer according to your environment. Only select the SSL option if you’ve configured your SQL server for SSL encryption. It must be enabled on the SQL side or the connector will fail.

10-12-2013 7-54-40 PM

4. Repeat the process for the VUM DSN, but select option 7 instead.

5. Open the Windows Server Manager and from the Tools menu select ODBC Data Sources (64-bit). You should see two System DSNs listed, one 64-bit and one 32-bit.

10-12-2013 8-13-34 PM

6. Click on the vCenter Server entry and then click Configure. Run through the wizard until you get to the final page. Validate the settings all look correct.

10-12-2013 8-17-15 PM

7. Click on Test Data source and verify the test is successful. If it is not, then you probably goofed up the server name, database name, permissions, or the SQL firewall is not allowing the connection. Remember if you are clustering the SQL database to configure firewall rules on BOTH nodes.

10-12-2013 8-18-45 PM

8. Close the 64-bit ODBC tool and Open the 32-bit ODBC tool from the Server Manager Tools menu. Repeat the verification process on the VUM database.

Summary

Now that we have a working service account, created our databases, and configured the ODBC connector we are ready to install vCenter. So yes, that’s coming up in Part 15.

vSphere 5.5 Install Pt. 13: Install Inventory Svc

10-12-2013 11-53-39 AMThe vCenter inventory service has two primary purposes in life. First, it’s a cache of objects which the web client accesses. This cache enables the offloading of retrieving objects from the vCenter core service (vpxd). This can also lessen the load on your back-end database if the vCenter service isn’t constantly doing queries (most of which are reads). The legacy Windows VI client does not use the inventory service, which is why it can get pokey in very large environments. It also has an effect of reducing vCenter CPU utilization, allowing more client sessions.

Following VMware’s new guidance for vCenter 5.5, we are installing the inventory service on the same VM as vCenter. You should KISS your vCenter folks. In this post we will install the inventory service and secure it with a trusted SSL certificate.

Blog Series

SQL 2012 AlwaysOn Failover Cluster for vCenter
vSphere 5.5 Install Pt. 1: Introduction 
vSphere 5.5 Install Pt. 2: SSO 5.5 Reborn 

vSphere 5.5 Install Pt. 3: vCenter Upgrade Best Practices and Tips
vSphere 5.5 Install Pt. 4: ESXi 5.5 Upgrade Best Practices and Tips 
vSphere 5.5 Install Pt. 5: SSL Deep Dive
vSphere 5.5 Install Pt. 6: SSL Certificate Template
vSphere 5.5 Install Pt. 7: Install SSO
vSphere 5.5 Install Pt. 8: Online SSL Minting
vSphere 5.5 Install Pt. 9: Offline SSL Minting 
vSphere 5.5 Install Pt. 10: Update SSO Certificate
vSphere 5.5 Install Pt. 11: Install Web Client
vSphere 5.5 Install Pt. 12: Configure SSO
vSphere 5.5 Install Pt. 13: Install Inventory Service
vSphere 5.5 Install Pt. 14: Create Databases
vSphere 5.5 Install Pt. 15: Install vCenter
vSphere 5.5 Install Pt. 16: vCenter SSL
vSphere 5.5 Install Pt. 17: Install VUM
vSphere 5.5 Install Pt. 18: VUM SSL
vSphere 5.5 Install Pt. 19: ESXi SSL Certificate

Permalink to this series: vexpert.me/Derek55
Permalink to the Toolkit script: vexpert.me/toolkit55

Install Inventory Service

1. Mount the vCenter ISO if it’s not still mounted from the previous installs. Start the installer and select the vCenter Inventory Service.

10-12-2013 11-58-27 AM

2. Click through the wizard until you get to the Destination Folder. Because the web client only works on the C drive, I’ve resigned myself to putting everything on the C drive. So I left this the default.

10-12-2013 12-06-33 PM

3. Validate that the FQDN of the local server is correct.

10-12-2013 12-12-37 PM

4. I’d leave all the default port numbers.

10-12-2013 12-13-48 PM

5. The JVM memory will greatly depend on your environment. Do not skimp here, as memory is critical for performance. Remember to possibly adjust your vCenter VM’s memory here if you select medium or large. vCenter 5.5 all-in-one servers LOVE memory.

10-12-2013 12-15-17 PM

6. Enter your vCenter SSO password and validate the lookup service URL is correct.

10-12-2013 12-16-50 PM

7. Just like the web client it presents the thumbprint of your SSO SSL certificate. That’s the same value as before, so I’m not going to cover how to look it up again.

10-12-2013 12-19-21 PM

8. At this point a Ready to Install box should appear. Click Install and wait a few minutes.

Automated Inventory Service SSL

Note: I’m assuming here you are following this guide to the letter and replacing SSL certificates as we go. By doing this we can skip some steps in the VMware tool that are needed if doing SSL replacement post-full installs. If you are replacing certs at the end of a complete vCenter install, you must follow the planner steps in the VMware tool.

1. Open elevated command prompt (not PowerShell) and launch the VMware SSL replacement tool. Select Option 4 from the main menu.

10-12-2013 12-42-45 PM

2. All we need to do here is update the SSL certificate.

10-12-2013 12-44-44 PM

3. If everything goes well, it will successfully replace the certificate.

10-12-2013 12-49-47 PM

4. To validate the certificate has been updated you can go to https://YourvCenterServer:10443. You will see a ‘HTTP status 400 – Bad Request” but that’s normal since we didn’t pass it any data. What counts is that it responds, and that the cert is trusted. If you get some other error or the certificate is wrong, then something went terribly, terribly wrong.

10-12-2013 12-58-03 PM

Summary

The inventory service is easy to install, and easy to secure with custom SSL certificates. You can also quickly check the health with a simple web browser. So this is one of the easiest services to install and configure. Next up in Part 14 is configuring your SQL databases and DSNs so we can finally get to installing vCenter.

vSphere 5.5 Install Pt. 12: Configure SSO

10-12-2013 8-02-44 AMNow that the SSO service and web client are installed, it’s time to do a little SSO configuration. In this installment we will configure the SSO STS certificate chain, add an Active Directory identity and source, and delegate SSO administrative rights to a AD group.

If you recall the vCenter 5.1 installation order, you will realize they’ve now moved up the web client install. This was done consciously so you could troubleshoot/configure the SSO service prior to vCenter being installed. Great idea VMware!

Blog Series

SQL 2012 AlwaysOn Failover Cluster for vCenter
vSphere 5.5 Install Pt. 1: Introduction
vSphere 5.5 Install Pt. 2: SSO 5.5 Reborn 
vSphere 5.5 Install Pt. 3: vCenter Upgrade Best Practices and Tips
vSphere 5.5 Install Pt. 4: ESXi 5.5 Upgrade Best Practices and Tips 
vSphere 5.5 Install Pt. 5: SSL Deep Dive
vSphere 5.5 Install Pt. 6: SSL Certificate Template
vSphere 5.5 Install Pt. 7: Install SSO
vSphere 5.5 Install Pt. 8: Online SSL Minting
vSphere 5.5 Install Pt. 9: Offline SSL Minting
vSphere 5.5 Install Pt. 10: Update SSO Certificate
vSphere 5.5 Install Pt. 11: Install Web Client
vSphere 5.5 Install Pt. 12: Configure SSO
vSphere 5.5 Install Pt. 13: Install Inventory Service
vSphere 5.5 Install Pt. 14: Create Databases
vSphere 5.5 Install Pt. 15: Install vCenter
vSphere 5.5 Install Pt. 16: vCenter SSL
vSphere 5.5 Install Pt. 17: Install VUM
vSphere 5.5 Install Pt. 18: VUM SSL
vSphere 5.5 Install Pt. 19: ESXi SSL Certificate

Permalink to this series: vexpert.me/Derek55
Permalink to the Toolkit script: vexpert.me/toolkit55

Configure SSO STS Chain

For some reason the VMware certificate tool does not automatically import the trusted CA chain into the SSO STS store. So we need to manually do that. My Toolkit script creates the complex Java keystore file, which is quite tedious. See Part 8 for the low down on my vCenter 5.5 Toolkit script. So all we need to do here is import the Java keystore file. I’m opting to leave the default self-signed chain in place, just in case there is a dependency.

1. Login to the vSphere web client with the administrator@vsphere.local account. In the left pane click Administration.

10-12-2013 8-04-42 AM

2. Under Single Sign-On click Configuration. Then click on the Certificates tab and then STS Signing.

10-12-2013 8-08-04 AM

3. Click on the green Plus sign and navigate to the vCenterSSO certificate directory the Toolkit script created. Select the server-identity.jks file. When prompted for a password enter testpassword.

10-12-2013 8-10-08 AM

4. Depending on your CA configuration you should see two or three certificates listed. In my case I have three, since I have a root and intermediate CA. Click on the ssoserver line and then click OK. Enter testpassword again.

10-12-2013 8-12-34 AM

If the import is successful you should see two certificate chains.

10-12-2013 8-14-37 AM

5. Reboot your vCenter server so that all the services are refreshed and pickup the new certificate chain.

Add Identity Source

In vSphere 5.5 your Active Directory identity source is not automatically added. So we will need to add AD as a source so you can authenticate with domain-based accounts.

1. Login to the vSphere web client, in the left pane click on Administration. Under Single Sign-On click Configuration. Click on Identity Sources in the middle pane.

10-12-2013 8-40-28 AM

2. Click on the green plus sign. If you want rich Active Directory support then choose Active Directory (integrated Windows Authentication). Chosing Active Directory as LDAP Server is for 5.1 backwards compatibility and should NOT be used. You will have issues with domain trusts, etc. Should be avoided!

10-12-2013 8-39-34 AM

3. After the source is added you should see three Identity Sources.

10-12-2013 8-43-30 AM

Delegate SSO Admin Rights

1. Create a group in Active Directory that you want to delegate SSO administrator rights too. In my case the group is called APP_VCTR_SSO_Admin. You can use whatever name you wish. Put your account into that group.

1. On the Groups tab click on Administrators, then in the lower Group Members pane click on the Blue Man Group person.

10-12-2013 8-59-54 AM

2. Change the domain to your AD domain, then find your group. Highlight the group then click on Add. Then you can click on OK to add the group.

10-12-2013 9-12-39 AM

3. If you log out of Windows then log back in (to refresh your group membership), you should now be able to use the Windows credential option to access the vSphere web client. The first time you try it a warning message will likely appear. I would uncheck the Always Ask box unless you like exercising your fingers.

10-12-2013 11-34-48 AM

10-12-2013 11-25-55 AM

Summary

Configuring some basic SSO settings is not rocket science, but common to many environments. At a minimum you need to import the SSO STS certificate chain. Nearly everyone has AD, so adding the more intelligent SSO 5.5 AD identity source will be on everyone’s agenda. Shared accounts are never a good idea, so setting up a group for SSO admin delegation is a great idea.

Next up in lucky Part 13 we install the Inventory Service and secure it with trusted SSL certificates.

vSphere 5.5 Install Pt. 11: Install Web Client

10-11-2013 6-52-15 PMThe web client is the new and strongly preferred mechanism to manage your vSphere environment. In fact, the Windows VI client now comes up with a big warning that it’s going the way of the dodo bird when you launch it. I suspect in vSphere 6.0 the Windows VI client as we know it will not exist. Yes, today SRM and parts of VUM still need the Windows client. So we will be installing it later on. Remember the web client is the only way to modify hardware v10 VMs.

In this post we will install the web client and replace the SSL certificates with trusted ones, by using the VMware certificate tool. Installation and SSL certificate replacement is straight forward. There is one installation gotcha that I elaborate on below. Getting IE 10 on Windows Server 2012 can be a bit frustrating to get working with the web client, so I’ll go over that as well.

Blog Series

SQL 2012 AlwaysOn Failover Cluster for vCenter
vSphere 5.5 Install Pt. 1: Introduction 
vSphere 5.5 Install Pt. 2: SSO 5.5 Reborn 

vSphere 5.5 Install Pt. 3: vCenter Upgrade Best Practices and Tips
vSphere 5.5 Install Pt. 4: ESXi 5.5 Upgrade Best Practices and Tips 
vSphere 5.5 Install Pt. 5: SSL Deep Dive
vSphere 5.5 Install Pt. 6: SSL Certificate Template
vSphere 5.5 Install Pt. 7: Install SSO
vSphere 5.5 Install Pt. 8: Online SSL Minting
vSphere 5.5 Install Pt. 9: Offline SSL Minting
vSphere 5.5 Install Pt. 10: Update SSO Certificate
vSphere 5.5 Install Pt. 11: Install Web Client
vSphere 5.5 Install Pt. 12: Configure SSO
vSphere 5.5 Install Pt. 13: Install Inventory Service
vSphere 5.5 Install Pt. 14: Create Databases
vSphere 5.5 Install Pt. 15: Install vCenter
vSphere 5.5 Install Pt. 16: vCenter SSL

vSphere 5.5 Install Pt. 17: Install VUM
vSphere 5.5 Install Pt. 18: VUM SSL
vSphere 5.5 Install Pt. 19: ESXi SSL Certificate

Permalink to this series: vexpert.me/Derek55
Permalink to the Toolkit script: vexpert.me/toolkit55

Install Web Client

1. Mount your vCenter 5.5 ISO and launch the installer. On the installer screen select vSphere Web Client then click Install.

2. Accept the license agreement then we see the Destination Folder. Now you may be thinking, like I did, ok let’s install this on the D drive. Bzzzttt that would be bad. There’s a long standing issue (since 5.1) with the web client that it will only function on the C drive. So I would urge you not to change the path if you want a functional system.

10-11-2013 7-52-07 PM

3. Accept the default ports.

10-11-2013 7-53-28 PM

4. Enter the SSO password that you entered during the SSO configuration. Verify that the lookup service URL is correct.

10-11-2013 7-54-15 PM

5. The web client should now pop up with a hash value of the lookup service certificate. If you have already replaced your SSO certificate, as covered in Part 10, then we can verify the web client is using the trusted SSO certificate. Double click on the rui.crt file in your vCenter SSO and go to the Details tab. Scroll all the way down and verify the hashes match. As you can see here, they are match.

10-11-2013 7-55-40 PM

10-11-2013 7-57-36 PM

6. Another window should pop up that lists some certificates. In my case three certificates were listed: Root, intermediate, and the SSO service. All were issued from my trusted CA, so I clicked Install Certificates.

10-11-2013 8-02-06 PM

7. The installer was then ready to install so I clicked Install. Wait a few minutes after the installer is done so the web services can start up.

Replace SSL Certificates

1. Launch the VMware SSL automation tool. From the main menu select option 7.

10-11-2013 8-12-53 PM

2. On the next menu first select option 4, and after that completes, select option 6. Each time you will be asked to confirm details such as the certificate path, username and password. All values should be pre-configured for you. You should see two successful messages.

10-11-2013 8-27-59 PM

Configure IE 10

Using IE on Windows Server 2012 requires a bit of reconfiguration to enable it to work with the web client. Unfortunately the web client is Flash based (terrible idea, should use HTML5), and Microsoft built flash player into Windows 8/WS2012 (also a terrible idea IMHO). If you skipped over my vCenter VM provisioning section, you must have the Desktop Experience enabled for Flash to work. If that feature is not enabled (and subsequently fully patched by Windows update/WSUS/SCCM), Flash will be non-functional or outdated. The web client is very picky about what version of Flash is installed.

10-12-2013 7-52-16 AM

1. If IE Enhanced Security is on, turn it off.

10-11-2013 8-09-45 PM

2. Open IE and navigate to the URL for the web client: https://YourFQDN:9443/vsphere-client. The web page will likely come up blank white page. This is because IE is blocking Flash player. Add the URL to the Local Intranet zone. Refresh the web page and the login box should appear. If it does not appear, or you get a Flash Player error/icon, then you haven’t run Windows update recently on the computer. Fully patch the server before proceeding. You can’t be sneaky and download the offline Flash Player. It’s baked into Windows now, so it must be updated through Windows Update/WSUS/SCCM.

10-11-2013 8-41-14 PM

The URL should not appear red, since the SSL certificate has been replaced. You can also click on the lock icon to view the SSL certificate being used and that it is trusted.

10-11-2013 8-42-27 PM

10-12-2013 7-57-26 AM

3. In the lower left of the web page click on Download the Client Integration Plug-in. Save it and then run it. You will need to close IE for the installer to proceed. Open IE after the installer is complete and go to the vSphere client page again.

4. You should now see a login box and the Use Windows Session Credentials box is now un-ghosted. We can’t use that feature yet, but now you know the client integration pack is installed. Login with your administrator@vsphere.local password.

10-11-2013 8-49-07 PM

5. If everything goes well then you should now see the very fast vSphere Web Client open up. Congrats, you have a working vSphere web client with a trusted SSL certificate.

Summary

As you can see, installing the web client, configuring SSL, and fiddling with IE10 is not rocket science. You are now able to connect to the SSO service and poke around with some settings. That’s exactly what we will do in Part 12.

vSphere 5.5 Install Pt. 10: Replace SSO Certs

10-11-2013 6-44-21 PMJust like replacing a hip joint, replacing vCenter SSO SSL certificates can induce some pain, is a bit complex, and the outcome can be questionable. The replacement process in SSO 5.5 is pretty much like that in 5.1, but now we have the VMware certificate automation tool and my vCenter toolkit to make this a safer operation. Outcome is not guaranteed, and there may be side effects.

My approach to replacing SSL certificates in this series is replacement right after the service is installed. Basically you build up a trusted infrastructure from the get-go. VMware would likely say to build it up all untrusted, then go back and replace the certs. Certainly a valid point. If the VMware automation tool was more automated, then I might agree. But by building up trusted layers there are less replacement steps and chance of messing up, IMHO.

I do strongly recommend using the VMware certificate automation tool instead of manual replacement steps. But for the SSO service I’ll show you both ways, each using my vCenter Toolkit script to prepare the needed files.

Blog Series

SQL 2012 AlwaysOn Failover Cluster for vCenter
vSphere 5.5 Install Pt. 1: Introduction 
vSphere 5.5 Install Pt. 2: SSO 5.5 Reborn 

vSphere 5.5 Install Pt. 3: vCenter Upgrade Best Practices and Tips
vSphere 5.5 Install Pt. 4: ESXi 5.5 Upgrade Best Practices and Tips 
vSphere 5.5 Install Pt. 5: SSL Deep Dive
vSphere 5.5 Install Pt. 6: SSL Certificate Template
vSphere 5.5 Install Pt. 7: Install SSO
vSphere 5.5 Install Pt. 8: Online SSL Minting
vSphere 5.5 Install Pt. 9: Offline SSL Minting
vSphere 5.5 Install Pt. 10: Replace SSO Certs
vSphere 5.5 Install Pt. 11: Install web client
vSphere 5.5 Install Pt. 12: Configure SSO
vSphere 5.5 Install Pt. 13: Install Inventory Service
vSphere 5.5 Install Pt. 14: Create Databases
vSphere 5.5 Install Pt. 15: Install vCenter
vSphere 5.5 Install Pt. 16: vCenter SSL
vSphere 5.5 Install Pt. 17: Install VUM
vSphere 5.5 Install Pt. 18: VUM SSL
vSphere 5.5 Install Pt. 19: ESXi SSL Certificate

Permalink to this series: vexpert.me/Derek55
Permalink to the Toolkit script: vexpert.me/toolkit55

Automated Certificate Replacement

1. Download the vCenter Certificate Automation Tool v5.5. You can find it under the Drivers and Tools section of the vSphere 5.5 downloads. Direct link is here. Unzip the contents on your vCenter server.

10-9-2013 6-10-08 PM

2. At the beginning of my toolkit script are two variables that set the SSO and vCenter administrator account names. Now during the SSO install you can’t change these names, so you shouldn’t need to change them here. But just FYI, I wanted to point out they are defined in the toolkit script.

10-9-2013 6-23-42 PM

3. Re-run my vCenter 5.5 Toolkit script, but this time we want to create the automation batch file. The menu number may change, but in today’s version of the script it is option 4.

10-9-2013 6-17-27 PM

4. The script will run in a split second and provide you the path to the batch file. The batch file sets the same variables as the stock VMware ssl-environment.bat file. I stripped out all of the comments and set the paths to where your certificate files are stored, assuming you used my script for part 8 or 9, minting your SSL certs.

5. Copy the ssl-environment.bat file that the toolkit created and overwrite the one in the VMware tool directory. You don’t need to run the batch file as the main updater script will execute it in the background.

10-9-2013 7-14-01 PM

6. Run the VMware ssl-updater.bat file. On the main menu select Option 3.

10-9-2013 6-27-30 PM

7. On the next menu select option 1.

10-9-2013 6-29-58 PM

8. When you select option 1 it will ask you a series of questions (in yellow below). Most of the information should be pre-populated for you. But you do need to input the administrator@vsphere.local password and answer if you are using a load balancer or not (don’t use one, VMware does not recommend it). Cross your fingers and toes, and watch for success messages.

10-9-2013 6-53-45 PM

9. Skip down to the verification section to validate that your certificate was replaced and that the service is in a healthy state. Let’s hope for no side-effects of this delicate operation.

Manual Replacement

If you for some reason you can’t use the VMware certificate tool (I recommend you DO use it, since it provides some certificate checking and is less error prone. But it could have issues that prevent you from using it. If so, then you can follow the steps below. They are directly from KB 2058519, with a couple of corrections (I’ve submitted fixes, so hopefully they will correct them).

Thanks to my vCenter 5.5 toolkit script 90% of the tedious work in that KB article is already done for you. Whoohoo. All we need to do is issue three commands to update the lookup service, then copy over our new certs. That’s it!

1. Open an elevated command prompt (not PowerShell) and enter the following command, replacing the vCenter FQDN, paths, and password as needed.

"C:\Program Files\VMware\Infrastructure\VMware\cis\vmware-sso\ssolscli" updateService -d https://d001vctr01.contoso.net:7444/lookupservice/sdk -u administrator@vsphere.local -p YourPassword -si D:\certs\vCenterSSO\gc_id -ip d:\certs\vCenterSSO\gc.properties

2. Enter the following command:

"C:\Program Files\VMware\Infrastructure\VMware\cis\vmware-sso\ssolscli" updateService -d https://d001vctr01.contoso.net:7444/lookupservice/sdk -u administrator@vsphere.local -p YourPassword -si D:\certs\vCenterSSO\admin_id -ip d:\certs\vCenterSSO\admin.properties

3. Enter the following command:

"C:\Program Files\VMware\Infrastructure\VMware\cis\vmware-sso\ssolscli" updateService -d https://d001vctr01.contoso.net:7444/lookupservice/sdk -u administrator@vsphere.local -p YourPassword -si D:\certs\vCenterSSO\sts_id -ip d:\certs\vCenterSSO\sts.properties

4. If all goes well then your screen should look similar to the one below, with three success messages. If not, you did something wrong. Depending on what’s goofed up, SSO may be in a hosed state and require a re-install.

10-9-2013 8-16-46 PMA

5. Now that the services have been updated, we need to overwrite some certificates. Navigate to the C:\ProgramData\VMware\CIS\runtime\VMwareSTS\conf directory. Backup the ssoserver.crt, ssoserver.key and ssoserver.p12 files. In the vCenterSSO directory that the toolkit script created, copy the ssoserver.crt, ssoserver.key and ssoserver.p12 files and overwrite the old versions.

6. In an elevated command prompt type:

net stop vmwarests
net start vmwarests

Verification

To verify that the SSO service is using the new certificate and didn’t suffer fatal stab wounds, open your favorite browser and go to the lookup service URL. That should be https://vCenterName:7444/lookupservice/sdk It should open without any SSL errors and if you look at the certificate by clicking on the lock icon, it will be issued by your CA. The XML response below is normal (yes even the Unexpected EOF), since we didn’t give the SDK service any input data.

10-9-2013 7-02-19 PM

10-9-2013 7-05-34 PM

Summary

With the help of my Toolkit script and the VMware automation tool, replacing the SSO certificate is not as painful as it was in the early months of vCenter 5.1. Even if you need to replace it manually, the toolkit does a lot of the tedious work to make success more likely. Next up in Part 11 is installing the Web Client, updating the SSL certificates, and configuring IE 10.

vSphere 5.5 Install Pt. 9: Offline SSL Minting

10-4-2013 6-19-17 PMNot everyone has an online Microsoft Certificate Authority, or maybe my toolkit script has issues in your environment. So in this installment we will go over manual SSL minting. By that I mean we will use my Toolkit script to create the CSRs, you will download the certificates yourself, then run my Toolkit script again to create all of the required files. So in reality the only manual process is getting the certificate.

Even if you don’t have an online Microsoft CA, I suggest reading through Part 8. It will familiarize you with my vCenter 5.5 Toolkit script and has the change log. If have an online Microsoft CA and ran the script in the previous post then you can skip this installment and go to Part 10 (coming soon).

Blog Series

SQL 2012 AlwaysOn Failover Cluster for vCenter
vSphere 5.5 Install Pt. 1: Introduction 
vSphere 5.5 Install Pt. 2: SSO 5.5 Reborn 

vSphere 5.5 Install Pt. 3: vCenter Upgrade Best Practices and Tips
vSphere 5.5 Install Pt. 4: ESXi 5.5 Upgrade Best Practices and Tips 
vSphere 5.5 Install Pt. 5: SSL Deep Dive
vSphere 5.5 Install Pt. 6: SSL Certificate Template
vSphere 5.5 Install Pt. 7: Install SSO
vSphere 5.5 Install Pt. 8: Online SSL Minting
vSphere 5.5 Install Pt. 9: Offline SSL Minting
vSphere 5.5 Install Pt. 10: Replace SSO Certificates
vSphere 5.5 Install Pt. 11: Install Web Client 
vSphere 5.5 Install Pt. 12: Configure SSO
vSphere 5.5 Install Pt. 13: Install Inventory Service
vSphere 5.5 Install Pt. 14: Create Databases
vSphere 5.5 Install Pt. 15: Install vCenter
vSphere 5.5 Install Pt. 16: vCenter SSL
vSphere 5.5 Install Pt. 17: Install VUM
vSphere 5.5 Install Pt. 18: VUM SSL
vSphere 5.5 Install Pt. 19: ESXi SSL Certificate

Permalink to this series: vexpert.me/Derek55
Permalink to the Toolkit script: vexpert.me/toolkit55

Offline SSL Method

1. Download my vCenter 5.5 toolkit script from the link above. Open it in the PowerShell ISE (or favorite editor). The PowerShell script requires a few variable modifications before you run it. In the first block of variables you need to setup the directory where you want all of the certificates to go. If OpenSSL is already installed, change the path so the script knows where the root directory is. If that directory does not exist OpenSSL will be downloaded and installed for you. Next up are the certificate properties. Change those to suite your environment. If you want the server’s IP address in the SAN field, then uncomment the line and change the IP.

10-10-2013 7-04-44 PM

2. Execute the PowerShell Toolkit script. Unlike part 8 where we selected option 1 and everything was automated, here we need to select the option behind door number 2. This will create all of the required directories, private RSA keys and CSRs for you.

10-9-2013 4-52-21 PM

2. The first screenshot are the seven service directories which get automatically created. Inside each directory are three files. In the second screenshot the rui.key file is your private 2048 bit RSA key. The .cfg file is the OpenSSL configuration file that was used to generate the CSR. The .csr file is what you will submit to your CA.

10-4-2013 6-51-01 PM

10-4-2013 6-44-06 PM

3. Now you need to take each of the seven CSR files and submit it to your CA. In case you have an offline Microsoft CA or there are strong security measures in place so the vCenter can’t access your CA directly, I’ll cover the manual issuing and downloading process with a Microsoft Windows Server 2012 CA. If you have a non-Microsoft CA, then just skim over the Microsoft CA section, save your certificates as rui.crt in each directory, and pick back up at step 8.

4. Go to the URL of your Microsoft CA. The default address is https://hostname/certsrv. Make sure you are accessing the CA page with credentials that can request VMware-SSL certificates. Click on Request a certificate.

10-4-2013 7-00-57 PM

5. Select the second option, Submit a certificate request by using a base-64-encoded….

10-4-2013 7-03-33 PM

6. Copy and paste the CSR information from the first service into the top pane. Make sure the VMware-SSL template is selected. If that template is NOT listed then you probably goofed up one of three things 1) You accessing the CA web site with your non-admin account 2) You didn’t properly publish the VMware-SSL certificate template 3) You don’t have enroll permissions on the VMware-SSL template. Do not enter any additional attributes.

10-4-2013 7-05-27 PM

7. After you submit the certificate request you need to download the Base-64 encoded version WITHOUT the certificate chain. Name the file rui.crt and save it back into the same service directory that you submitted the CSR from. These certificates are NOT interchangeable, so don’t get the rui.crt files mixed up. The system will barf later on and you will lose some hair. Each certificate must match the service it was intended for.

10-4-2013 7-09-29 PM

8. After you’ve done this for all seven certificates, each service directory should now look like the following, with a rui.crt file now present.

10-4-2013 7-15-23 PM

9. Next up we need to create one or two root CA files, depending on your CA architecture. Double click on one of your .crt files and go to the Certification Path tab. In my example below we have two CAs: A root and a subordinate. The CA at the top is the root and the next one down is the subordinate. vCenter needs the public certificate from both, so that it can properly chain.

10-4-2013 7-17-20 PM

10. If you are using a Microsoft CA then go back to the Home page of the CA. But this time select the last option, Download a CA certificate…

10-4-2013 7-22-02 PM

11. Click on Download CA certificate chain if you have a Root/subordinate CA architecture. If you have just a root CA click on Download CA Certificate. If you are downloading the chain, just save it to your desktop with any ole name and skip to step 12. If you have just a root CA, then save the file as Root64.cer in the root of your certificate directory (screenshot below).

10-4-2013 7-23-33 PM

Root only CA:

10-4-2013 7-40-48 PM

12. For those that downloaded their chain (and ball), double click the certificate and locate the two certificates. Right click on your ROOT (see step 9), select All Tasks, and Export. Save the certificate as a Base-64 encoded file and name it Root64.cer. Put it in the root of your certificate directory as show in step 11.

10-4-2013 7-37-28 PM

13. Repeat the process on the subordinate CA, but save the file as interm64.cer. You should now have a directory that looks like:

10-4-2013 7-47-04 PM

13.  Re-run the Toolkit script but now we select Option 3. This will process all of the files and create the exact same output as the online option in Part 8. Review the screen events for any errors.

10-10-2013 7-31-55 PM

A sample of the screen output is below.

10-10-2013 8-12-40 PM

Output Validation

1. Assuming no errors occur, you should now see additional files in the root of your certificate directory. A chain.cer file should now appear if you have an intermediate CA. A hash file (which ends in 0) for each root certificate will also be listed.  If you only have a root CA then you will have one hash file.

10-9-2013 5-05-54 PM

2. If you take a peek inside one of the folders you will see a series of files. Each service, except SSO, will have the same set of files (except the .csr and .cfg with are uniquely named). The

  • chain.pem: Used for the VMware vCenter certificate automation tool
  • rui.crt: Public half of your SSL certificate
  • rui.key: Private half of your SSL certificate
  • rui.pfx: Combined private and public SSL keys
  • *.cfg:  Certificate signing request file
  • *.csr: Certificate signing request

10-9-2013 5-09-43 PM

3. In the vCenterSSO you will see a plethora of files. Depending on how you replace your SSL certificates, you may only use some of these files. But to help you out as much as possible, all the SSO files that are tedious to create manually are created for you. If you are missing files, then something went wrong. Please match up all filenames to validate the toolkit script worked. Some files are copies of each other, but they are needed to avoid confusion and more easily follow the KBs.

  • *.properties: Use for manual SSO SSL replacement
  • *_id: Use for manual SSO SSL replacement
  • ca_certificates.crt: Use for manual SSO SSL replacement
  • root-trust.jks: Used for SSO/STS certificate validation
  • server-identity.jks: Same file as above with a different name (per VMware KBs)
  • ssoserver.p12: Same functionality as rui.pfx, but VMware changed the name and format for SSO 5.5
  • ssoserver.crt: Copy of chain.pem
  • ssoserver.key: Copy of rui.key

10-9-2013 10-06-14 PM

Certificate Validation

Now that your certificates are minted, let’s quickly validate all of the properties are present. Even if your CSR requests a property, that doesn’t mean your CA will honor it. The OU in each subject name should be unique and match the directory it’s in.

10-10-2013 7-17-04 PM

The Subject Alternative Name should contain the short name and FQDN. Optionally it can contain your IP address too.

10-10-2013 7-18-18 PM

Enhanced key usage should show server and client authentication. Client authentication can be missing if the CA template is wrong.

10-10-2013 7-18-59 PM

Key usage should contain digital signature, key encipherment and data encipherment.

10-10-2013 7-19-43 PM

Summary

After a bit more work than the automated method, you now have all of the required certificate files to either use the vCenter certificate automation tool, or try the complex manual replacement method. Next up in Part 10 we update the SSO service SSL certificates.

vSphere 5.5 Install Pt. 8: Online SSL Minting

10-3-2013 8-04-58 PM

In the last installment of the vSphere 5.5 series we installed the SSO service. Now that the Java JRE is installed (via the SSO installer), we have the tools ready to create our vCenter SSL certificates via an online Microsoft CA. If you don’t have an online Microsoft CA that can issue your VMware SSL certificates, skip this section and go to Part 9 (coming soon), where we go through the manual process.

I’m recommending you create the SSL certificates now, so that you have a variety of methods at your disposal to use these certificates. VMware’s stance is that you fully install vCenter 5.5 with self-signed certificates then use their free certificate automation tool to replace all of the certificates as the last step. That is certainly a good route to go, and I would not dissuade you from that method. Or, you could also replace certificates as you install components so each layer is trusted as you go. Either way, I recommend the VMware certificate tool even if it is a bit primitive. It is flexible enough to let you incrementally replace certificates.

In order to make life easier for installers I’ve written a “toolkit” PowerShell script to help with the SSL process. More details are below, but I would like to give credit to Chrissy LeMaire for some of the (modified) building blocks of this script. She wrote a vCenter 5.1 PowerShell SSL replacement script that was more automated than VMware’s batch script. My script does not replace VMware’s automation tool, but helps you prepare the files it needs.

Download Toolkit Here

Blog Series

SQL 2012 AlwaysOn Failover Cluster for vCenter
vSphere 5.5 Install Pt. 1: Introduction 
vSphere 5.5 Install Pt. 2: SSO 5.5 Reborn 

vSphere 5.5 Install Pt. 3: vCenter Upgrade Best Practices and Tips
vSphere 5.5 Install Pt. 4: ESXi 5.5 Upgrade Best Practices and Tips
vSphere 5.5 Install Pt. 5: SSL Deep Dive
vSphere 5.5 Install Pt. 6: SSL Certificate Template
vSphere 5.5 Install Pt. 7: Install SSO
vSphere 5.5 Install Pt. 8: Online SSL Minting
vSphere 5.5 Install Pt. 9: Offline SSL Minting
vSphere 5.5 Install Pt. 10: Update SSO Certificate
vSphere 5.5 Install Pt. 11: Install Web Client 
vSphere 5.5 Install Pt. 12: Configure SSO
vSphere 5.5 Install Pt. 13: Install Inventory Service
vSphere 5.5 Install Pt. 14: Create Databases
vSphere 5.5 Install Pt. 15: Install vCenter
vSphere 5.5 Install Pt. 16: vCenter SSL
vSphere 5.5 Install Pt. 17: Install VUM
vSphere 5.5 Install Pt. 18: VUM SSL
vSphere 5.5 Install Pt. 19: ESXi SSL Certificate

…possibly more to come…

Derek’s Toolkit Script

The PowerShell script performs several tasks and is menu driven. It’s an all in one script, meaning it handles online/offline CAs, and will also do other install tasks like create your ODBC connectors. That functionality is not yet in there, but will be added in the coming weeks. The full feature list will change and so will the menus. But I’ll try and keep this updated as often as I can.

The CSRs are in strict accordance with VMware KB articles regarding certificate requirements, including an optional IP address in the SAN field. I want to strictly color within the KB article lines, so if you do use this script and then have to call up VMware support they won’t roll their eyes and have you re-do your certs because some blogger got it wrong.

The script has the following features:

  • Downloads and installs the proper version of OpenSSL if it’s not already installed
  • Creates 2048 bit RSA private keys in the proper format
  • Creates a directory for each service bundle of SSL certificates
  • Generates seven OpenSSL configuration files, one for each certificate, in the appropriate directory
  • Downloads both root and subordinate root public certificates
  • Submits the CSRs to the online CA and downloads the certificates
  • Creates the needed service PEM files for the vCenter certificate automation tool
  • Creates the required root/subordinate PEM files
  • Handles the special SSO 5.5 certificate requirements
  • Does NOT require PowerCLI
  • Assumes all vCenter components are on one server
  • Automatically uses the hostname of the server you run the script on for all certificates
  • Creates a pre-filled vCenter Certificate Automation environment script – Just run!
  • Works with offline CAs
  • Creates SSO 5.5 certificate replacement files – Only used if manual replacing certs
  • Creates customized SQL vCenter and VUM database creation script
  • Creates SQL ODBC DSNs for vCenter and VUM
  • Automatically downloads and installs SQL 2008 R2 or SQL 2012 client package
  • Linux vCenter Server Appliance support for online minting and offline CSR creation
  • Creates certificates for Auto Deploy, Dump Collector, Syslog collector, Authentication Proxy
  • Support Microsoft CAs that require manual certificate approval
  • Requires PowerShell 3.0 or higher

Download Toolkit Here

Toolkit Change Log

v1.56, January 19, 2014

  • Fixed bug when no subordinate CA was present
  • Changed Microsoft “renewal” default to 0 for root/sub CA

v1.55, January 12, 2014

  • Added additional CA/subordinate error checking

v1.50, December 22, 2013 Changes:

  • Added support for ESXi hosts

v1.42, December 3, 2013 Changes:

  • Modified how the certificate hash files are created
  • Added Authentication Proxy certificate creation
  • Changed MS CA download parameter Renewal from 0 to 1

v1.41, Nov 14, 2013 Changes:

  • Changed the root/intermediate CA download order and added more error checking

v1.4, Nov 10, 2013 Changes:

  • Added Auto Deploy, Dump Collector and Syslog Collector SSL certificates
  • Added support for manually approved CA certificates (Windows & Linux)
  • Added SHA512 request in CSR
  • Added request for vCenter FQDN in Option 3

Special thanks to Ryan Bolger from Trace3 for the CA manual approval code.

 

Online SSL Minting

1. Download my vCenter 5.5 toolkit script from the links above. Open it in the PowerShell ISE (or favorite editor). The PowerShell script requires a few variable modifications before you run it. In the first block of variables you need to setup the directory where you want all of the certificates to go. If OpenSSL is already installed, change the path so the script knows where the root directory is. If that directory does not exist OpenSSL will be downloaded and installed for you. Next up are the certificate properties. Change those to suite your environment. If you want the server’s IP address in the SAN field, then uncomment the line and change the IP.

10-10-2013 7-04-44 PM

2. The script is semi-intelligent about using only a root, or one subordinate and root. Simply comment out $SubCA with a # if you only have an online Microsoft root CA. If you have two or more subordinates, then you will need to follow VMware SSL KBs or modify my script. Sorry!

10-7-2013 8-17-46 PM

If for some reason the script can’t download your CA certs automatically, try changing the download protocol. The default is HTTPS. If that still fails, you can manually place the Base-64 encoded root (and intermediate) certificates into your $Cert_Dir path. The root should be called Root64.cer and the intermediate called interm64.cer.

10-10-2013 7-08-34 PM

10-10-2013 7-12-20 PM

3. The next section are the details for your issuing CA and the template. The issuing CA is your online CA that will actually mint your certificates. If you only have one CA, then clearly that is what you should use. The $ISSUING_CA field can be a little tricky. The first field is the shortname (or FQDN) of your CA (e.g. d001dc01). Next up is your CA name. This can be anything, so you must open the Certificate Authority MMC on your CA to find out what it’s called. As you can see from my screenshot below my CA name is contoso-D001DC01-CA.

10-3-2013 9-06-22 PM

10-9-2013 4-35-46 PM

Now if you don’t have MMC access on the CA to look up the actual CA name, then you can find it another way. Open a browser and go to https://yourCAserver.domain.com/certsrv and select Download a CA certificate, certificate chain, or CRL. Select Download CA Certificate Chain. Open the files, then open the certificate(s) in the file. Now depending on how your CAs are setup, it may take a little thought to correlate the “Issued to” and “Issued by” to your root/subordinate CA. In my case contoso-D001DC02-CA is my root CA, and contoso-D001DC01-CA is my subordinate. I want my VMware certs issued from the subordinate, so just like the MMC screenshot above, the CA name that corresponds to D001DC01 is contoso-D001DC01-CA.

12-3-2013 6-43-46 PM

4. Next up is the template name. This can also be any value, but if you followed my guide then it will be called VMware-SSL. This is the Template Name not the Template display name.

10-3-2013 9-08-57 PM

10-9-2013 4-37-42 PM

5.  Your account must have the required CA permissions to enroll for the VMware-SSL template. If it does not, then find a CA administrator, have them logon the vCenter server and run the script. If your online Microsoft CA is configured for manual certificate approval, you can still use Option #1.

1-9-2014 9-01-08 PM

6. Since you have properly configured the script variables and have one or more online Microsoft CAs, you should select option 1. New to v1.3 and later it will ask you to confirm your vCenter FQDN. If the FQDN is correct, just press ENTER. If it is wrong, just enter the right FQDN.

10-22-2013 8-30-54 PM

After confirming/entering your FQDN the process is automated. If you do get errors, then you either goofed up the variables, have insufficient permissions, or my script is broke and needs fixing. If its broke, now is an excellent time to learn PowerShell. Script is provided as-is, and bugs/issues may or may not be fixed.

Below is a screenshot with a sample of the script output as it runs using an online CA with automatic approval. A lot more has scrolled off the screen, but you get the idea. There is limited error checking, but subtle issues could fly by on the screen. Review the output for any issues.

10-9-2013 5-00-02 PM

7. If your CA is configured for manual approval you will get a list of the request IDs for all 10 certificates. Have your CA administrator approve the requests, then run Option #3 to complete the process. You will only see the Request IDs when manual request approval is required. When you run Option #3 the output should look like the previous screenshot.

11-10-2013 7-10-23 PM

Output Validation

1. When the script completes you should have eleven directories, and either one or three certificate (.cer) files in the root of your working directory. If you have a subordinate CA then you will have three files. If you have a single CA you will only have a Root64.cer file. The two files with funny names are hash files of the root and intermediate CAs. If you only have a root CA you will see a single hash file.

12-3-2013 6-52-23 PM

2. If you take a peek inside one of the folders you will see a series of files. Each service, except SSO, will have the same set of files (except the .csr and .cfg with are uniquely named). The

  • chain.pem: Used for the VMware vCenter certificate automation tool
  • rui.crt: Public half of your SSL certificate
  • rui.key: Private half of your SSL certificate
  • rui.pfx: Combined private and public SSL keys
  • *.cfg:  Certificate signing request file
  • *.csr: Certificate signing request

10-9-2013 5-09-43 PM

3. In the vCenterSSO you will see a plethora of files. Depending on how you replace your SSL certificates, you may only use some of these files. But to help you out as much as possible, all the SSO files that are tedious to create manually are created for you. If you are missing files, then something went wrong. Please match up all filenames to validate the toolkit script worked. Some files are copies of each other, but they are needed to avoid confusion and more easily follow the KBs.

  • *.properties: Use for manual SSO SSL replacement
  • *_id: Use for manual SSO SSL replacement
  • ca_certificates.crt: Use for manual SSO SSL replacement
  • root-trust.jks: Used for SSO/STS certificate validation
  • server-identity.jks: Same file as above with a different name (per VMware KBs)
  • ssoserver.p12: Same functionality as rui.pfx, but VMware changed the name and format for SSO 5.5
  • ssoserver.crt: Copy of chain.pem
  • ssoserver.key: Copy of rui.key

10-9-2013 10-06-14 PM

Certificate Validation

Now that your certificates are minted, let’s quickly validate all of the properties are present. Some users have reported corrupted/incorrect root and subordinate certificates, so please do NOT skip this section. Also, even if your CSR requests a property (such as client authentication), that doesn’t mean your CA will honor it. The OU in each subject name should be unique and match the directory its in.

10-10-2013 7-17-04 PM

The Subject Alternative Name should contain the short name and FQDN. Optionally it can contain your IP address too.

10-10-2013 7-18-18 PM

Enhanced key usage should show server and client authentication. Client authentication can be missing if the CA template is wrong.

10-10-2013 7-18-59 PM

Key usage should contain digital signature, key encipherment and data encipherment.

10-10-2013 7-19-43 PM

We also need to validate that the root and intermediate certificates are in the right format. Some users have reported corrupted root or intermediate certificates. In Notepad open both your root64.cer and interm64.cer files. They should both start with —–BEGIN CERTIFICATE—–. If they contain HTML or any non-printable characters, then they are corrupted or in the wrong format. STOP, as they will most certainly NOT work.

1-9-2014 8-52-00 PM

If your root or subordinate CA certs contain HTML, and you are using the script to automatically download them from a Microsoft CA, I have a suggestion that may work. Locate the code snippet below and change Renewal=1 to Renewal=0. That tweaks how the script downloads the certificate from the Microsoft CA. In addition, if the script downloads an old subordinate certificate, change renewal=0 to renewal=1 in the DownloadSub function.

1-9-2014 8-55-17 PM

Summary

Assuming you have an online Microsoft CA and you were successful in running the script, you now have all of the files needed to use the VMware certificate automation tool, or go through the manual certificate replacement process. In Part 9 I cover how to use an offline or non-Microsoft CA. At the end of that article you will have exactly the same files as you do from this installment. Starting in Part 10 we will resume our configuration and installation of vCenter components.

vSphere 5.5 Install Pt. 7: Install SSO

10-5-2013 8-45-11 PMYes, seven parts into this series we can finally mount our handy dandy vCenter 5.5 ISO and start installing software. Hopefully I haven’t lost anyone along the way with all of the background and SSL information. But with the complexities in vCenter 5.5 and all the moving parts, I think it’s important to know what’s going on in case you run into issues. I want this series to be more than just screenshots and scripts blindly leading you through an install.

Blog Series

SQL 2012 AlwaysOn Failover Cluster for vCenter
vSphere 5.5 Install Pt. 1: Introduction
vSphere 5.5 Install Pt. 2: SSO 5.5 Reborn 
vSphere 5.5 Install Pt. 3: vCenter Upgrade Best Practices and Tips
vSphere 5.5 Install Pt. 4: ESXi 5.5 Upgrade Best Practices and Tips
vSphere 5.5 Install Pt. 5: SSL Deep Dive
vSphere 5.5 Install Pt. 6: SSL Certificate Template
vSphere 5.5 Install Pt. 7: Install SSO
vSphere 5.5 Install Pt. 8: Online SSL Minting
vSphere 5.5 Install Pt. 9: Offline SSL Minting
vSphere 5.5 Install Pt. 10: Update SSO Certificate
vSphere 5.5 Install Pt. 11: Install Web Client 
vSphere 5.5 Install Pt. 12: Configure SSO
vSphere 5.5 Install Pt. 13: Install Inventory Service
vSphere 5.5 Install Pt. 14: Create Databases
vSphere 5.5 Install Pt. 15: Install vCenter
vSphere 5.5 Install Pt. 16: vCenter SSL
vSphere 5.5 Install Pt. 17: Install VUM
vSphere 5.5 Install Pt. 18: VUM SSL
vSphere 5.5 Install Pt. 19: ESXi SSL Certificate

Permalink to this series: vexpert.me/Derek55
Permalink to the Toolkit script: vexpert.me/toolkit55

Provision vCenter VM

Before we install SSO, we need to provision the vCenter VM. Per VMware recommendations, KB2052334, the VM needs at least 12GB of RAM for a “simple” all in one installation. Don’t skip on memory as performance will likely take a beating, depending on the number of hosts and VMs you are managing.

  • At least 2 vCPUs
  • At least 12GB of RAM
  • At least 70GB D drive (more with VUM)
  • Use VMXNET3 NIC
  • Use hardware version 9 or earlier
  • Recommend Windows Server 2012
  • Enable hot add of memory/CPU
  • Fully patched

If you want to use the web client on the vCenter server with IE, then you must install the Desktop Experience feature. Why? That’s the only way to get Flash player in IE with Windows Server 2012. VMware really needs to dump the Flash interface and go HTML5. If you use a third party browser, make sure you get the very latest Flash player.

After you install the Desktop Experience make sure you patch it. Why? The stock Flash player version is not compatible with the web client and needs to be updated via Windows Update/WSUS/SCCM to the latest version.

10-8-2013 6-11-01 AM

If you will be using IE on the vCenter server you also need to turn off the IE enhanced security mode.

10-8-2013 5-40-17 PM

Basic SSO Install

The installation process in SSO 5.5 is vastly different from vCenter 5.1. As previously mentioned gone is the SQL database requirement, which caused untold grief. Instead of spending days trying to get the SQL JDBC connector working with SSL (which ultimately never did work), you can now click through the install wizard in about 60 seconds. No fuss, no pain, no hair loss. Pure bliss.

1. Login to your vCenter VM and mount the vSphere 5.5a (note the ‘a’ or use the latest available) ISO. Your user account must NOT have an exclamation point in it. If it does, the installer may fail. Use a different account.  Even though we are doing a “Simple Install” in concept, I want to go through the Custom Install. Why? That way we can modify the installation paths (which you can’t do with the simple install), and also more clearly walk through each component. Click on vCenter Single Sign-On then Install.

10-7-2013 7-17-29 PM

2. On the Welcome screen click Next.

10-7-2013 7-20-34 PM

3. Thoroughly read all the entire EULA. (Pausing for 3 hours..)

10-7-2013 7-22-07 PM

4. Review the Prerequisites screen and click Next. Enterprise grade DNS is key, and you must have both forward and reverse records working for your vCenter server. Time is also important, so ensure your vCenter VM is correctly synchronizing with your DCs.

10-7-2013 7-22-54 PM

5. Now you need to choose your SSO deployment mode. In our case we will leave the default option, your very first vCenter server.

10-7-2013 7-25-28 PM

6. Next up we have to enter a password. Now this is tricky, because a number of special characters are illegal and will cause you grief. I do not know the maximum length. Specifically, do NOT use:

Non-ASCII characters
Ampersand (&)
Semicolon  ( ; )
Double quotation mark  ( ” )
Single quotation mark ( ‘ )
Circumflex ( ^ )
Backslash ( \ )
Percent ( % )
Less than ( < )
Exclamation ( ! )
Space (   )

 10-7-2013 7-31-43 PM

7. Now you need to enter a site name. I would change the default value, and make it meaningful. Also, do NOT enter the FQDN or short hostname of your server here. That could cause problems. Site names will become more important in the future, so again, give this a minute or two of thought.

10-7-2013 7-32-58 PM

8. I would not customize the port number unless you REALLY know what you are doing and want to cause yourself some possible future headaches. Just keep the default, guys.

10-7-2013 7-35-41 PM

9. I’m a firm believer of installing most software on a drive other than C. Why? Application logs can fill up a drive, and there could be some security implications as well. My standard is “D” for all major enterprise apps like vCenter. However, per KB 2044953, the web client (not SSO) will not work if installed on any drive but C. So if you want to keep all your vCenter binaries together, you are stuck with the C drive.

10-7-2013 7-37-12 PM

10. On the final screen review all of the settings and verify they are 100% correct. Click Install and wait a few minutes.

10-7-2013 7-39-04 PM

11. You should get a Completed message, and now you can smile.

10-7-2013 7-45-19 PM

SSO Patch Time

With the 5.5 GA version there is a known problem using Windows Server 2012 and Windows Server 2012 domain controllers. VMware has released a patched DLL to resolve the issue. But better than that you should use the vCenter 5.5a (note the ‘a’) ISO which has the fix built in.

If you are using a non-update (i.e. Sept 2013 GA) version of vSphere 5.5, then go to KB2060901 and follow the instructions to replace the indicated DLL. It’s cake to do, so I won’t show you how. Again, please install all components from the 5.5a media or later so you can skip this manual step.

Summary

The SSO installation in vSphere 5.5 is vastly easier than it was in 5.1. Just a few clicks and your SSO server is running. No more SQL, JDBC connections, or databases to create. Major improvement! Next up is minting your SSL certificates from an online Microsoft CA in Part 8.

© 2017 - Sitemap