Archives for November 2013

vSphere 5.5 Install Pt. 18: VUM SSL & Misc. Config.

11-17-2013 7-59-40 PMSo now that vCenter 5.5 with VUM is installed, we need to configure a trusted vCenter update manager SSL certificate and then do a few VUM configuration tweaks. These tweaks include configuring HP and Dell repos, plus configuring basic VUM compliance scans.

Blog Series

SQL 2012 AlwaysOn Failover Cluster for vCenter
vSphere 5.5 Install Pt. 1: Introduction 
vSphere 5.5 Install Pt. 2: SSO 5.5 Reborn 

vSphere 5.5 Install Pt. 3: vCenter Upgrade Best Practices and Tips
vSphere 5.5 Install Pt. 4: ESXi 5.5 Upgrade Best Practices and Tips 
vSphere 5.5 Install Pt. 5: SSL Deep Dive
vSphere 5.5 Install Pt. 6: SSL Certificate Template
vSphere 5.5 Install Pt. 7: Install SSO
vSphere 5.5 Install Pt. 8: Online SSL Minting
vSphere 5.5 Install Pt. 9: Offline SSL Minting 
vSphere 5.5 Install Pt. 10: Update SSO Certificate
vSphere 5.5 Install Pt. 11: Install Web Client
vSphere 5.5 Install Pt. 12: Configure SSO
vSphere 5.5 Install Pt. 13: Install Inventory Service
vSphere 5.5 Install Pt. 14: Create Databases
vSphere 5.5 Install Pt. 15: Install vCenter

vSphere 5.5 Install Pt. 16: vCenter SSL
vSphere 5.5 Install Pt. 17: Install VUM
vSphere 5.5 Install Pt. 18: VUM SSL
vSphere 5.5 Install Pt. 19: ESXi SSL Certificate

Permalink to this series: vexpert.me/Derek55
Permalink to the Toolkit script: vexpert.me/toolkit55

At this point I’ll assume you’ve been following this series and ran my Toolkit script to create all of your certificates.

VUM SSL Configuration

1. Run the VMware Certificate automation tool script and from the main menu select option 8. On the VUM menu select option 1.

11-10-2013 3-26-10 PM

2. After selecting option 1 from the VUM menu you will be prompted for a series of responses. The chain.pem and rui.key paths should already be set, via my Toolkit script (Option 4).  Enter the Administrator password you used during the SSO installation, many installments ago. Sit back and wait a couple of minutes, and you should see a successful message.

11-17-2013 9-00-24 PM

VUM Configuration

1. Launch the VMware vSphere Windows client and connect to your vCenter server. If you haven’t already installed the VUM plug-in, go to the Plug-ins menu and you should see a plug-in under “Available Plug-ins”. Click Download and Install. Run the installer using all default values. You can see below that I’ve already installed the extension.

11-17-2013 9-09-06 PM

2. After the Assuming the install goes well close the vSphere client. Reconnect to vCenter using the Windows vSphere Client. You should NOT get a SSL warning for vCenter or VUM. If you do get a SSL warning, something went wrong, or you also installed another service like Auto Deploy or a third-party plug-in that is untrusted.

11-17-2013 9-10-39 PM3. Depending on your server hardware vendor, you may want to add the HP depot URL to VUM so know when they release updated software. Unfortunately at this time I’m not aware of a Cisco VIB depot. Open the Admin View of VUM.

11-17-2013 9-17-45 PM

4. Once the VUM Admin page opens click on the Configuration tab. Select Download Settings. Click Add a Download Source and use the following URLs:

HP: http://vibsdepot.hp.com/index.xml

Dell: http://vmwaredepot.dell.com/index.xml

11-17-2013 9-22-39 PM

After you add the URL(s) it will appear the list. Click on the Download Now button. Monitor the Recent Tasks pane and wait for the download to complete.

11-17-2013 9-23-37 PM

5. After a bit of time your patch repository will be fully populated.

11-26-2013 7-49-47 PM

6. Next up I would suggest attaching VUM baselines to both your hosts and VMs. In the Hosts and Cluster view go to the VUM tab then attach a baseline. I’d recommend you check the two boxes shown below.

11-26-2013 7-47-30 PM

6. Switch to the VM and Templates view and attach the three provided baselines.

11-26-2013 7-48-24 PM

7. You can now perform VUM scans and check your compliance status.

VUM hasn’t undergone any visible changes in vSphere 5.5. So if you are accustomed to using VUM in previous releases, then you won’t have anything new to learn. You could also schedule weekly compliance scans and have reports emailed to you. One could also create custom baselines that are static, so that when new patches are downloaded you aren’t instantly out of compliance. VMware has stated VUM is dying, so I suspect in the 6.0 timeframe we will see an entirely new way to handle patches.

Next up in Part 19, learn how to update your ESXi host certificate.

vCenter 5.5 SSL Certificate and SQL Toolkit Updated

11-17-2013 7-03-32 PMFresh off the press is an updated version of my vCenter 5.5 SSL certificate Toolkit script. Last year when I did my popular vCenter 5.1 install series the posts contain a series of scripts and CLI commands to replace the SSL certificates. While that process worked for many people, it still was not as easy as it should be.

So for vCenter 5.5 I wrote a PowerShell script that did all the SSL certificate creation ‘magic’ in one place. In the intervening weeks since the first version went up, I’ve made a number of changes based on user feedback (and code submission) and my own development effort. I want to develop it further, but that will have to wait for a number of weeks while I complete a big project I’m working on. But for those that did download the first version and haven’t seen my Tweets about updates, I wanted a dedicated post to highlight the full feature set of v1.41 (November 10th).

The script is designed to be used in conjunction with the VMware vCenter certificate automation tool, NOT replace it. While that tool will create CSRs, I find it a bit cumbersome and does not help you in minting the certs. Regardless of what kind of CA you have, the script will help. The degree of automation varies, as the script is targeted for an online Microsoft CA. Once you use my tool to mint all of your certificates, then it’s a straight forward matter of using the VMware certificate tool to replace the self-signed certificates with your freshly minted ones.

As you will see in the feature list, the script goes beyond just SSL assistance and can also aid in your SQL database and DSN creation.

The script has the following features:

  • Downloads and installs the proper version of OpenSSL (0.9.8.Y) if it’s not already installed
  • Creates 2048 bit RSA private keys in the proper format
  • Creates a directory for each service bundle of SSL certificates
  • Generates ten OpenSSL configuration files, one for each certificate, in the appropriate directory
  • Creates certificates for AutoDeploy, Dump Collector and Syslog collector
  • Downloads both root and subordinate root public certificates
  • Submits the CSRs to the online CA and downloads the certificates
  • Creates the needed service PEM files for the vCenter certificate automation tool
  • Creates the required root/subordinate PEM files
  • Handles the special SSO 5.5 certificate requirements
  • Assumes all vCenter components are on one server
  • Automatically uses the hostname of the server you run the script on for all certificates
  • Creates a pre-filled vCenter Certificate Automation environment script – Just run!
  • Works with offline CAs
  • Creates SSO 5.5 certificate replacement files – Only used if manual replacing certs
  • Creates customized SQL vCenter and VUM database creation script
  • Creates SQL ODBC DSNs for vCenter and VUM
  • Automatically downloads and installs SQL 2008 R2 or SQL 2012 client package
  • Linux vCenter Server Appliance support for online minting and offline CSR creation
  • Creates certificates for Auto Deploy, Dump Collector and Syslog collector
  • Support Microsoft CAs that require manual certificate approval

On the potential roadmap is replacing the ESXi 5.x host certificates, and a bit more robust Linux VCSA support. A screenshot of the main menu is shown below.

As always you can download the latest version from: vExpert.me/toolkit55 It’s gotten over 1,500 downloads in the few weeks that its been available, which is great. Hopefully it is helping people install vCenter 5.5 and more easily configure trusted certificates. For instructions on how to use the tool and a change log, start in Part 8 of my vCenter 5.5 install series.

11-10-2013 5-29-56 PM

vSphere 5.5 Install Pt. 17: Install VUM

11-10-2013 1-43-42 PMSo yes, after a couple of weeks of pausing on the vSphere 5.5 series I’m back with installing VUM. The VUM install pretty much follows the process we had for vCenter 5.1. In case you haven’t heard, VUM is also growing feathers like the Windows VI client and will soon turn into a dodo bird. VMware hasn’t announced what is replacing it, but I suspect in vSphere 6.0 the new product will make a debut.

Blog Series

SQL 2012 AlwaysOn Failover Cluster for vCenter
vSphere 5.5 Install Pt. 1: Introduction 
vSphere 5.5 Install Pt. 2: SSO 5.5 Reborn 

vSphere 5.5 Install Pt. 3: vCenter Upgrade Best Practices and Tips
vSphere 5.5 Install Pt. 4: ESXi 5.5 Upgrade Best Practices and Tips 
vSphere 5.5 Install Pt. 5: SSL Deep Dive
vSphere 5.5 Install Pt. 6: SSL Certificate Template
vSphere 5.5 Install Pt. 7: Install SSO
vSphere 5.5 Install Pt. 8: Online SSL Minting
vSphere 5.5 Install Pt. 9: Offline SSL Minting 
vSphere 5.5 Install Pt. 10: Update SSO Certificate
vSphere 5.5 Install Pt. 11: Install Web Client
vSphere 5.5 Install Pt. 12: Configure SSO
vSphere 5.5 Install Pt. 13: Install Inventory Service
vSphere 5.5 Install Pt. 14: Create Databases
vSphere 5.5 Install Pt. 15: Install vCenter
vSphere 5.5 Install Pt. 16: vCenter SSL
vSphere 5.5 Install Pt. 17: Install VUM
vSphere 5.5 Install Pt. 18: VUM SSL
vSphere 5.5 Install Pt. 19: ESXi SSL Certificate

Permalink to this series: vexpert.me/Derek55
Permalink to the Toolkit script: vexpert.me/toolkit55

Installing VUM

1. Login to your vCenter server with your vCenter Windows service account and launch the VMware vSphere 5.5a (or later) installer. Select vSphere Update Manager in the left pane.

2. Select your language and click OK. Click through the wizard until you get to the Support Information screen. If your vCenter server has internet access, then you can leave the box checked to download updates. If it does not have access, then uncheck the box.

11-10-2013 11-26-34 AM

3. At this point you should use the built-in vSphere administrator account (administrator@vsphere.local). I had no luck in trying to get my domain vCenter service account to work (although comments from a prior post indicated it worked for them). If the installer hangs, then kill the vciInstallutils.exe process, completely exit the installer, and re-run the installer. It seems to cache failed responses, so even if you enter the right password the second time it may still fail.

11-10-2013 12-19-13 PM

4. The DSN should already be present from when we ran my Toolkit script, so nothing to do here but select it. Note: There is a KB article here that describes a problem with the VUM service starting if you use the SQL 2012 client. Personally I haven’t run into the problem. The solution is to use the SQL 2008 R2 client (paired with a SQL 2012 back-end if you have one) to allow the service to start.

11-10-2013 12-24-39 PM

5. Click through the wizard (you may get a SQL recovery mode warning) and on the Port Settings page I would recommend selecting the vCenter FQDN verses the IP address.

11-10-2013 12-27-05 PM

6. I strongly recommend you change the download path for patches. You don’t want to fill up your C drive.

11-10-2013 12-28-36 PM

7. After VUM has finished installing, we need to change the account under which the VUM service runs. Open the Service Manager and locate the VMware vSphere Update Manager service. Change the Log On account to that of your vCenter service account. Restart the service and verify it starts successfully.

11-10-2013 1-22-59 PM

Yup, it’s pretty easy. My biggest headache was finding an account that worked in Step 3. Thankfully the built-in SSO administrator account did the trick. Next up will be replacing the VUM SSL certificate. You can check that out in Part 18.

VMware Releases vCenter 5.5a

11-3-2013 8-51-23 PMFollowing last year’s pattern of ‘lettered’ vCenter updates, VMware has released vCenter 5.5a. (Note the ‘a’.) This addresses a number of issues, mostly with the SSO service. If you are using vCenter on Windows Server 2012, you will no longer have to download a patched DLL. You can find the full set of release notes here. Given these fixes, I would urge everyone to use the 5.5a media and get rid of your 5.5 GA media. I appreciate VMware releasing fixes, but it’s starting to bring back memories of 5.1 where there were ‘a’ and ‘b’ bug fix releases.

If you want the web’s most comprehensive vSphere 5.5 installation guide, check out my 16+ part install and upgrade series here.

Bug fixes in vCenter 5.5a:

  • Attempts to upgrade vCenter Single Sign-On (SSO) 5.1 Update 1 to version 5.5 might fail with error code 1603
  • Attempts to log in to the vCenter Server might be unsuccessful after you upgrade from vCenter Server 5.1 to 5.5
  • Unable to change the vCenter SSO administrator password on Windows in the vSphere Web Client after you upgrade to vCenter Server 5.5 or VCSA 5.5
  • VPXD service might fail due to MS SQL database deadlock for the issues with VPXD queries that run on VPX_EVENT and VPX_EVENT_ARG tables
  • Attempts to search the inventory in vCenter Server using vSphere Web Client with proper permissions might fail to return any results
  • vCenter Server 5.5 might fail to start after a vCenter Single Sign-On Server reboot
  • Unable to log in to vCenter Server Appliance 5.5 using domain credentials in vSphere Web Client with proper permission when the authenticated user is associated with a group name containing parentheses
  • Active Directory group users unable to log in to the vCenter Inventory Service 5.5 with vCenter Single Sign-On
  • Attempts to log in to vCenter Single Sign-On and vCenter Server might fail when there are multiple users with the same common name in the OpenLDAP directory service
  • Attempts to log in to vCenter Single Sign-On and vCenter Server might fail for OpenLDAP 2.4 directory service users who have attributes with multiple values attached to their account
  • Attempts to Log in to vCenter Server might fail for an OpenLDAP user whose account is not configured with a universally unique identifier (UUID)
  • Unable to add an Open LDAP provider as an identity source if the Base DN does not contain an “dc=” attribute
  • Active Directory authentication fails when vCenter Single Sign-On 5.5 runs on Windows Server 2012 and the AD Domain Controller is also on Windows Server 2012
© 2017 - Sitemap