VMworld 2015: vCSA Best Practices

INF4528, William Lam, VMware

  • VCSA is on parity with Windows server in terms of scale and performance
  • VUM still requires a Windows server (future version will not)
  • FULL VUM capabilities in vSphere web client in 6.0 U1
  • Deployment types: Embedded (PSC and VC), or PSC as external
  • Multiple vCenters can point to one or more PSCs
  • PSCs can sit behind a load balancer for HA
  • The focus going forward for the vCenter is the VCSA platform
  • 6.0 U1 will allow you to repoint an embedded vCenter to an external PSC
  • VCSA installation is guided by a GUI or can be fully scripted.
  • vSphere 6.0 U1 will support both vCenter server and ESXi (greenfield) as deployment targets.
  • Ensure DNS is reachable from both client desktop and VCSA .
  • Ensure NTP/time is properly configured and in sync
  • “U” releases are now in-place upgrades.
  • Ensure SSL certificates match both hostname and IP address
  • VCSA upgrade: may want to consider pruning vCenter historical stats

VCSA Configuration

  • VCSA configuration via web client under “system configuration” tab
  • VAMI UI has returned in vSphere 6.0 U1 and is HTML5
  • PSC UI in vSphere 6.0 U1 in HTML5
  • Open browser to https//vc/psc
  • Authenticated via SSO
  • DCUI-type interface at VCSA console
  • Full command line is available
  • New to vSphere 6.0 U1 is a more scriptable appliancesh interface

VCSA Operations

  • Increase memory/CPU resources
  • Dynamic memory resize support
  • No longer require JVM tweaks
  • At boot time VCSA re-allocated memory
  • Increase disk capacity on live system.
  • VCSA has 11 VMDKs for different uses
  • Run a simple command line to expand within VCSA to use additional storage space
  • Patching and updates – Pulls updates from the internet. NEW: URL based patching is back.
  • Password expiration: VAMI UI or CLI. Root ages at 365 days.

VCSA Troubleshooting

  • Installation settings are stored in /etc/vmware/install-defaults
  • Native syslog support. Configurable in vSphere web client
  • Can forward vCenter logs via syslog
  • VIMTOP is like ESX top for vCenter
  • Support bundles  – can pull logs via GUI or CLI

VCSA Migration

  • Fling released for migration of Windows vCenter 5.5 to VCSA 5.5
  • Tech preview of an updated product to support 6.0. No ETA mentioned.

 

VMworld 2015: vCenter Appliance as First Choice

Session: INF5975

Transforming software delivery with software appliances

  • Accelerat
  • e time to value
  • Simplify software management
  • Performance
  • Security
  • Reduced total cost of ownership (TCO)

vCSA

  • Security hardened Suse OS (SLES 11 SP3)
  • vCenter server and vPostgreSQL DB in a single VM
  • Appliance shell and UI support for appliance configuration
  • vCenter 6.0 appliance is ‘enterprise ready’
  • Same scalability as Windows vCenter deployment
  • Full support for linked mode

Windows and appliance are nearly at same performance at medium and large inventories

vCSA Deployment Configurations

  • Embedded and external PSC deployment modes
  • PSC abstracts common services such as SSO, licensing, certs, etc.
  • Convert from embedded to external PSC mode in 6.0 U1 (repointing)
  • vCenter Windows to vCSA migration tool is available as a fling
  • Can upgrade from vCSA 5.1 and 5.5 to 6.0 (U1)

vCSA Configuration

  • Network settings – DNS, hostname, IP, etc.
  • Time zone and NTP
  • Enable/disable services
  • Security considerations: SSH, password expiration, AD domain, firewall, log files, SNMP, etc.
  • Do NOT install third party agents on vCSA

Backup/Restore

  • Backup both embedded PSC and external PSC configurations
  • Works with VADP
  • Supports third party backups like NetBackup and CommVault

High Availability

  • Use VMware HA – Time tested. Protects against host and hardware failure.
  • vCenter Server watchdog
  • Attempts to restart processes, and will restart the service or VM
  • Ensures application level availability

Monitoring

  • vCenter Server Appliance Management
  • Appliance GUI in 6.0 U1
  • Generate support bundles
  • Monitor appliance resources and vCenter services
  • Receive SNMP trap notifications

vCenter server appliance management – security

  • Manage SSO users and groups
  • Password policies and management
  • Built-in certificate store and out of box certificate management

Patching

  • Easily apply product and third party patches (OS, Postgres, JRE)
  • Connect directly to VMware update repository or create custom repository

vSphere 6.0 Install Pt. 15: VCSA vCenter Install

If you are a VCSA (vCenter server appliance) convert, and wish to use the vCenter server appliance, this post is for you! It assumes you already have an external VCSA PSC setup, per Part 10. So this post will walk you through a similar deployment process, but this time install vCenter instead of a PSC. If you’ve deployed a Windows vCenter, then skip this post.

Blog Series

vSphere 6.0 Install Pt. 1: Introduction
vSphere 6.0 Install Pt. 2: Platform Services Controller
vSphere 6.0 Install Pt. 3: Certificate Management
vSphere 6.0 Install Pt. 4: vCenter Upgrade Best Practices
vSphere 6.0 Install Pt. 5: ESXi Upgrade Best Practices
vSphere 6.0 Install Pt. 6: Install Windows PSC
vSphere 6.0 Install Pt. 7: Config SQL DBs
vSphere 6.0 Install Pt. 8: Toolkit Configuration
vSphere 6.0 Install Pt. 9: SSL Templates
vSphere 6.0 Install Pt. 10: Install VCSA PSC
vSphere 6.0 Install Pt. 11: VMCA as Subordinate
vSphere 6.0 Install Pt. 12: PSC Machine Certificate
vSphere 6.0 Install Pt. 13: Directory Services Certificate
vSphere 6.0 Install Pt. 14: Windows vCenter Install
vSphere 6.0 Install Pt. 15: VCSA vCenter Install
vSphere 6.0 Install Pt. 16: User Solution Certificates

Permalink to this series: vexpert.me/Derek60
Permalink to my Toolkit script: vexpert.me/toolkit60

Deploy VCSA vCenter

1. Download the VCSA ISO (yes ISO, not OVA) and mount it on a Windows VM.

2. Open the root of the ISO and click on the vcsa-setup.html file.

3. Since I’m assuming a fresh install, click on Install.2015-03-29_19-42-354. Accept the license agreement and click Next.

5. Enter the FQDN or IP address of the ESXi server which you want the PSC deployed on. Enter the associated credentials. Click next and wait for the verification to complete. You may get a warning about an untrusted SSL certificate. Accept it.

2015-03-29_19-48-33

6. On your DNS server configure A and PTR records for the vCenter’s address. This is critical!

7. Enter the FQDN of your appliance, and a complex password. If your password is not complex enough it will warn you and provide the complexity requirements.

2015-04-23_19-55-41

8. Select “Install vCenter Server” on the next screen, since we will be using our external PSC.2015-04-24_19-39-009. Now enter the FQDN of your PSC, and the SSO password.

2015-04-24_19-40-4910. Up next is VCSA sizing. In my case I selected Tiny, since this is a small home lab.

2015-04-24_19-42-56

11. Here you get to select your database. SQL is NOT an option, due to the lack of a supported ODBC binary for Linux. I’ll use the built-in Database.

2015-04-24_19-44-4112. Up next is configuring all the network settings. This is pretty self explanatory. Do take note of the time sync options. In a production environment I would suggest syncing to a trusted NTP source and not the ESXi host. Although you should have ESXi configured to sync with a trusted source as well. Not shown in the screenshot is the ability to enable SSH. Since I’m in a lab environment, I enabled SSH.

2015-04-24_19-47-14

13. Review all of the settings to ensure they are 100% correct. Click Next, and sit back for the installation to complete.

2015-04-24_19-49-06

Summary

Deploying vCenter in the form of a VCSA is easy peasy! I really like the VCSA for its ease of deployment, and self-contained nature. Clearly VMware has put a lot of development time into the VCSA, and it shows. Now that vCenter is installed, it’s time to replace more SSL certificates. That’s coming up next in Part 16.

vSphere 6.0 Installation Pt. 14: Install Windows vCenter

Now that we are pretty far into this series, we can finally install our Windows vCenter. This will leverage our external PSC, for maximum scalability. Depending on your environment size, you may need to scale up the VM’s hardware specs for optimal performance. Consult VMware documentation for sizing guidance. In this exercise we will configure 2 vCPUs and 12GB of RAM, which is enough for a small environment.

If you would rather use the VCSA vCenter instead of a Windows vCenter, don’t fear, that will be coming up in a future blog installment. So if you don’t want a Windows vCenter, then hold on and soon enough I’ll have those instructions published.

Blog Series

vSphere 6.0 Install Pt. 1: Introduction
vSphere 6.0 Install Pt. 2: Platform Services Controller
vSphere 6.0 Install Pt. 3: Certificate Management
vSphere 6.0 Install Pt. 4: vCenter Upgrade Best Practices
vSphere 6.0 Install Pt. 5: ESXi Upgrade Best Practices
vSphere 6.0 Install Pt. 6: Install Windows PSC
vSphere 6.0 Install Pt. 7: Config SQL DBs
vSphere 6.0 Install Pt. 8: Toolkit Configuration
vSphere 6.0 Install Pt. 9: SSL Templates
vSphere 6.0 Install Pt. 10: Install VCSA PSC
vSphere 6.0 Install Pt. 11: VMCA as Subordinate
vSphere 6.0 Install Pt. 12: PSC Machine Certificate
vSphere 6.0 Install Pt. 13: Directory Services Certificate
vSphere 6.0 Install Pt. 14: Windows vCenter Install
vSphere 6.0 Install Pt. 15: VCSA vCenter Install

Permalink to this series: vexpert.me/Derek60
Permalink to my Toolkit script: vexpert.me/toolkit60

Provision vCenter VM

Before we install vCenter, we need to provision the vCenter VM. Per VMware recommendations the VM needs at least 8GB of RAM for an embedded installation.  Don’t skimp on memory as performance will likely take a beating, depending on the number of hosts and VMs you are managing. I’d recommend 12GB minimum. Also keep in mind:

  • At least 2 vCPUs (hard minimum)
  • At least 12GB of RAM (8GB hard minimum)
  • At least 70GB D drive (more with VUM)
  • Use VMXNET3 NIC
  • Use any virtual hardware version. I recommend v10 or v11.
  • Recommend Windows Server 2012 R2
  • Enable hot add of memory/CPU (optional)
  • Fully patched OS (important)
  • Verify time sync between PSC and vCenter VM

If you want to use the web client on the vCenter server with IE, then you must install the Desktop Experience feature. Why? That’s the only way to get Flash player in IE with Windows Server 2012 and Windows Server 2012 R2. VMware really needs to dump the Flash interface and go HTML5. If you use a third party browser, make sure you get the very latest Flash player.

After you install the Desktop Experience make sure you patch it. Why? The stock Flash player version is not compatible with the web client and needs to be updated via Windows Update/WSUS/SCCM to the latest version.

10-8-2013 6-11-01 AM

If you will be using IE on the vCenter server you also need to turn off the IE enhanced security mode.

10-8-2013 5-40-17 PM

vCenter Install

When installing vCenter you have two primary options. The first is an embedded option, where it will install the PSC and all the vCenter components in one fell swoop. This is akin to the “Simple” install in vSphere 5.5. The second option lets you deploy the PSC separately from vCenter. If you only install the PSC, when you run the installer the next time you only have an uninstall option and can’t install the rest of the vCenter services. So for this install we will go ahead and do a full vCenter install, using the external PSC that we have previously installed. You can use either a Windows external PSC or a VCSA-based PSC for this. Choice is yours!

1. Launch the vSphere 6.0 autorun installer. On the main screen select vCenter Server for Windows.

2014-11-22_18-40-25

2. Accept the license agreement and pause on the Deployment Type screen. Select vCenter Server.

2015-03-22_14-32-35a

3. On the System Network Name screen verify the FQDN is that of your local server. It should be. Click Next. You may get a warning about IPv6, which you can ignore if you aren’t using it.

2015-01-25_19-03-08

4. Next up you need to point the installer towards your PSC and enter the SSO password you used during the installation process.

2015-03-22_14-41-50

5. When you click next you may get a warning about a time differential. It’s off by just a minute or two I would not worry about it. I saw a warning about a 63 second time delta. After any time warnings you will then get a certificate validation prompt. At this point you will also get a certificate pop-up. Even if you replaced your VMCA and PSC machine SSL certificates, you will see an untrusted certificate here. This is because the VMware Directory Service certificate is used for this authentication. If you followed along in my blog and replaced the VMdir certificate, then it will show a trusted certificate.

2015-04-03_18-07-42

6. Next you need to select your vCenter service account. I always use a Windows service account, so I input those credentials here. I also made sure the service account was in the local administrator’s group on the vCenter server. It will also need the “Log on as a service” right. To do that launch the “Local Security Policy” editor, navigate to “Local Policies” then “User Rights Assignment”.

2015-03-24_8-12-17

2015-03-24_8-06-027. Now you need to configure your database. For anything but a small home lab you should use an external database. If you do opt for the internal database, in vSphere 6.0 it is now vPostgres and NOT SQL Express. In the previous blog series article we configured SQL using my vCenter toolkit script. So now select that DSN from the drop down.

2015-03-24_12-13-43

8. Next up are the default port numbers, which you shouldn’t change.

2015-03-24_12-16-06

9. Now you can change the directory installation paths if you wish. I just took the defaults.

2015-03-24_12-16-48

10. Now you can review your configuration and make sure that everything is good to go. Click Install.

Summary

With the external PSC already installed, doing the vCenter install is a piece of cake. If you are in a small lab, then you don’t even need to fuss with setting up an external database like SQL. For production instances I would always use a SQL or Oracle database. Its best to leave the default installation paths, as VMware instructions for certificate replacement use the default paths. I just don’t see any big reason to stray from the defaults here. KISS principle applies. If you have to choose between using SQL or Oracle for the back end, I would lean towards SQL. The VMware Fling to convert a Windows vCenter to the VCSA currently only works with SQL, so should you ever want to change your deployment model SQL makes it easier.

Next up is installing the VCSA vCenter, which you can find here.

vSphere 6.0 Pt. 13: VMware Directory Svc Certificate

One of the lesser known SSL certificates in the vSphere 6.0 product is called the VMware Directory Service certificate. This is used by the built-in LDAP server for authentication and encryption. It’s most an internal use only certificate, and one that some customers may not worry about replacing. In fact, per VMware support, a lot of customers probably won’t replace this certificate. But, I’m a certificate whore, and wanted to be thorough in my coverage of vSphere 6.0. You will also see the certificate when you install vCenter 6.0 with an external PSC, and authenticate to the PSC. Even if you use the VMCA, the directory services certificate is not replaced by a trusted certificate.

In addition, the VMware certificate tool does not have a menu option to replace the VMware Directory Service certificate. But don’t fear, I’ve built it into my Toolkit script. What VMware doesn’t do, I do. So in this installment I will show you how to replace the VMdir certificate with either one trusted by your enterprise CA, or issued by the VMCA. The toolkit script will also automate the installation for you, on a Windows PSC. If you are using the VCSA, I’m sorry, but we have to use a manual process provided by VMware.

Blog Series

vSphere 6.0 Install Pt. 1: Introduction
vSphere 6.0 Install Pt. 2: Platform Services Controller
vSphere 6.0 Install Pt. 3: Certificate Management
vSphere 6.0 Install Pt. 4: vCenter Upgrade Best Practices
vSphere 6.0 Install Pt. 5: ESXi Upgrade Best Practices
vSphere 6.0 Install Pt. 6: Install Windows PSC
vSphere 6.0 Install Pt. 7: Config SQL DBs
vSphere 6.0 Install Pt. 8: Toolkit Configuration
vSphere 6.0 Install Pt. 9: SSL Templates
vSphere 6.0 Install Pt. 10: Install VCSA PSC
vSphere 6.0 Install Pt. 11: VMCA as Subordinate
vSphere 6.0 Install Pt. 12: PSC Machine Certificate
vSphere 6.0 Install Pt. 13: Directory Services Certificate
vSphere 6.0 Install Pt. 14: Windows vCenter Install

Permalink to this series: vexpert.me/Derek60
Permalink to my Toolkit script: vexpert.me/toolkit60

Mint VMDir Certificate (Online)

You should run the Toolkit script on your Windows external PSC, so you have all the files needed locally and it will also automate the installation. If you are using the VCSA PSC, then run this script from a Windows server that has PowerShell 3.0. Use this online procedure if your Microsoft CA will issue the subordinate certificate either with or without approval. This method also supports the VMCA.

If you are using a VMCA as a subordinate, then select menu option 3 to mint your certificates from the VMCA in step 1 below.

1. Run the Toolkit PowerShell script on your external PSC or a Windows server VM if using the VCSA PSC. Select the VMware Directory Service Certificate menu (option 3). Select the option to create a VMDir certificate with an online MS CA (option 1).2015-04-03_8-42-56

2. Enter the FQDN of the PSC, or press ENTER, if running from the PSC to accept the name. If no certificate approval is needed, the new VMDir certificate will be minted and downloaded.2015-04-07_11-03-09

 

If your MS CA is configured to require CA manager approval before issuing a certificate, you will see the following:

2015-04-02_8-06-50

Have the CA manager approve the request ID, then re-run my Toolkit script and select the “Resume a pending online request for VMDir certificate” (option 4). The script will show you the paths to the chained PEM file and the private key file. After the request is complete, all files are located in C:\Certs\VMDir.

Mint Machine Certificate (Offline)

Use this procedure if your issuing certificate authority is NOT a Microsoft online CA. It could be an offline Microsoft CA, or a non-MS CA as well.  This assumes you have the proper templates configured in your CA, per my Part 9 post.

1. Run the Toolkit script and in the VMware Directory Service menu (option 3) select the option to create a VMDir certificate with an offline or non-MS CA (option 2). The script will verify that you have downloaded the root chain certificates.

2. Because I was running this on the external PSC, I just pressed enter for the PSC name.2015-04-07_11-04-37

3. Navigate to C:\Certs\VMDir and upload the VMDir.csr file to your favorite CA and issue a certificate. Download the issued certificate in the base-64 format and save as VMDir.crt in the same folder. You MUST use this file name and it MUST be base-64 encoded. It should only contain the certificate, not a full chain.

4. Re-run the toolkit and from the menu select the option “Create VMDir PEM file from offline or non-Microsoft CA files” (option 5). No input is needed. This will properly create a PEM file with the full certificate chain.2015-04-07_11-06-54

 

Install VMDir Certificate (Windows PSC)

Note: For this procedure I am showing you how to use my Tookit script to install your VMDir certificate. VMware’s certificate tool does NOT support replacing the VMdir certificate, since not all customers feel the need to replace it. I feel the need. VMware did document the process in their vSphere 6.0 documentation, which is what I implemented in the script.

1. Re-run my Toolkit script and in the VMware Directory Service Menu (option 3) select the option “Install custom VMDir certificate on this computer” (option 6). 2015-04-03_8-44-00

2. Wait about 30 seconds, and the process will complete without any user input.

2015-04-02_21-04-48Install VMDir Certificate (VCSA)

By this point I’m assuming you have the BASH shell enabled, and know how to WinSCP and SSH into the VCSA. Those steps have been covered in pervious blog posts, so I’m not repeating them here.

1. Run my Toolkit script and on the main menu select VMware Directory Service Menu (Option 3). On the following menu select option 7 to rename the certificate files.

2. SSH into the VCSA and enter the following command:

/bin/service-control –stop VMWareDirectoryService

3. From the C:\certs\Machine directory copy the vmdircert.pem and vmdirkey.pem files to:

/usr/lib/vmware-vmdir/share/config/

4. Enter the following command:

/bin/service-control –start VMWareDirectoryService

Validate VMDir Certificate

In case you want to verify that the VMDir certificate actually was replaced and is using your trusted certificate, my toolkit can do that too!

1. Launch the Toolkit and from the main menu select VMware Directory Service menu (option 3). From there select Display VMDir Certificate (option 8).

2. OpenSSL is invoked to display in a somewhat unfriendly manner, the SSL certificate used for the LDAP services. Review the properties to ensure they contain those from your trusted CA.

Summary

While not a popular certificate to replace, replacing the VMware Directory Service certificate does its place. Since the Toolkit makes is so easy to do, I’d recommend replacing it as a matter of practice. This will eliminate a somewhat worrisome certificate validation pop-up during the vCenter installation process. Instead of seeing an untrusted certificate, you will see your freshly minted VMDir certificate.

vSphere 6.0 Pt. 12: PSC Machine Certificate

Back in Part 11 of this series we configured the VMCA to be a subordinate CA to our enterprise CA. This ensures that all certificates which get used by vCenter components are automatically trusted. But as previously mentioned, not all organizations can use the VMCA. The US Federal Government would be a prime example, where there’s no way you can stand up your own subordinate CA.

So if you are one of the organizations that can NOT use the VMCA and need to use custom SSL certificate throughout, this post is for you. In this post we will replace the PSC’s machine SSL Certificate with a certificate issued by your enterprise CA, not the VMCA. If you followed Part 11 and are using the VMCA, skip this post.

Just like Part 11, I’ll go through the same process of using a Microsoft online CA, offline CA, and updating the certificates for both Windows and the VCSA. This should cover most scenarios that people have to deal with. If that’s not exactly what your scenario is, you can probably figure out what to do between VMware documentation and my Toolkit posts.

As always, download the latest version of my Toolkit script, as it is rapidly changing as I add more blog posts about SSL and work through issues. The download permalink is below. For this post you will need at least version 0.75 (April 2, 2015) or later to follow along.

Ironically, the VMware supplied certificate tool in it’s GA form has a bug when you replace the machine certificate with multiple intermediate CAs. You can find the KB here. So I’d recommend using my Toolkit script for a Windows PSC, as it does not have the bug and is easier anyway. 🙂 I am told VMware is working on an updated script, but I have no ETA on a release date. If you are using the VCSA you will need to use the workaround, which I cover in my post below.

Blog Series

vSphere 6.0 Install Pt. 1: Introduction
vSphere 6.0 Install Pt. 2: Platform Services Controller
vSphere 6.0 Install Pt. 3: Certificate Management
vSphere 6.0 Install Pt. 4: vCenter Upgrade Best Practices
vSphere 6.0 Install Pt. 5: ESXi Upgrade Best Practices
vSphere 6.0 Install Pt. 6: Install Windows PSC
vSphere 6.0 Install Pt. 7: Config SQL DBs
vSphere 6.0 Install Pt. 8: Toolkit Configuration
vSphere 6.0 Install Pt. 9: SSL Templates
vSphere 6.0 Install Pt. 10: Install VCSA PSC
vSphere 6.0 Install Pt. 11: VMCA as Subordinate
vSphere 6.0 Install Pt. 12: PSC Machine Certificate
vSphere 6.0 Install Pt. 13: Directory Services Certificate
vSphere 6.0 Install Pt. 14: Windows vCenter Install

Permalink to this series: vexpert.me/Derek60
Permalink to my Toolkit script: vexpert.me/toolkit60

Mint Machine Certificate (Online)

You should run the Toolkit script on your Windows external PSC, so you have all the files needed locally and it will also automate the installation. If you are using the VCSA PSC, then run this script from a Windows server that has PowerShell 3.0. Use this online procedure if your Microsoft CA will issue the subordinate certificate either with or without approval.

1. Run the Toolkit PowerShell script on your external PSC or a Windows server VM if using the VCSA PSC. Select the Machine SSL Certificate menu (option 4). Select the option to create a Machine SSL certificate with an online MS CA (option 1).

2. Enter the FQDN of the PSC, or press ENTER, if running from the PSC to accept the name. If no certificate approval is needed, the new machine certificate will be minted and downloaded.2015-04-02_8-02-13If your MS CA is configured to require CA manager approval before issuing a certificate, you will see the following:

2015-04-02_8-06-50

Have the CA manager approve the request ID, then re-run my Toolkit script and select the “Resume a pending online request for Machine SSL certificate” (option 4). The script will show you the paths to the chained PEM file and the private key file.

2015-04-02_8-18-27

After the request is complete, you will see the following files in the C:\Certs\Machine directory.

2015-04-02_8-20-02

You have now minted your Machine SSL certificate, but it is not yet installed. Read on further in this post on how to install it.

Mint Machine Certificate (Offline)

Use this procedure if your issuing certificate authority is NOT a Microsoft online CA. It could be an offline Microsoft CA, or a non-MS CA as well.  This assumes you have the proper templates configured in your CA, per my Part 9 post.

1. Run the Toolkit script and in the Machine SSL menu (option 4) select the option to create a Machine SSL certificate with an offline or non-MS CA (option 2). The script will verify that you have downloaded the root chain certificates.

2. Because I was running this on the external PSC, I just pressed enter for the PSC name.

2015-04-02_8-53-19

3. Navigate to C:\Certs\Machine and upload the machine_ssl.csr file to your favorite CA and issue a certificate. Download the issued certificate in the base-64 format and save as new_machine.crt in the same folder. You MUST use this file name and it MUST be base-64 encoded. It should only contain the certificate, not a full chain.

4. Re-run the toolkit and from the menu select the option “Create Machine SSL PEM file from offline or non-Microsoft CA files” (option 5). No input is needed. This will properly create a PEM file with the full certificate chain.

2015-04-02_9-10-18

Install Machine SSL Certificate (Windows PSC)

Note: For this procedure I am showing you how to use my Tookit script to install your Machine SSL certificate. VMware provides a Certificate Management tool that can perform the same steps. I show you how to use the VMware tool in the next section, when using the VCSA. The tool is the same on Windows and the VCSA. So if you feel more comfortable using the VMware tool to install the cert, skip down to that section. On Windows you can find the tool at C:\Program Files\VMware\vCenter Server\vmcad\Certificate-manager. My tool uses the manual method as documented in the vSphere 6.0 security guide, so the results are the same.

1. Re-run my Toolkit script and in the Machine SSL menu (option 4) select the option “Install custom machine SSL certificate on this computer” (option 6).2015-04-02_9-13-45

2. Sit back and wait while the script stops services, installs the new certificate, and restarts the services. Keep an eye on the process, as mid way through you will need to confirm the deletion of the existing machine certificate. Simply press Y.

2015-04-02_9-29-56

Install Machine Certificate (VCSA PSC)

Note: For this procedure I am showing you how to use the VMware Certificate Manager tool to install the VMCA signing certificate. This assumes you used my Toolkit to generate the certificate files. There’s a bug documented in this VMware KB about the tool failing with multiple intermediate CAs. I’ll include the workaround here, so you have a one stop shop for replacing your certificates.

1. If you haven’t already enabled BASH on your VCSA let’s do that now. Open a console into the VCSA. Press F2 to customize the system. Login. Arrow down to “Troubleshooting Mode Options” then enable BASH shell. Exit the VCSA console.

2. Open a SSH session to the VCSA and type the following:

shell

chsh -s “/bin/bash” root

Make sure you run the ‘chsh’ command from the ‘shell’ prompt and not the VMware restricted shell…it won’t recognize the chsh command. Thanks to William Lam’s blog post here for this step!

2. Download and install your favorite SCP client. I like WinSCP. Connect via SCP using the VCSA credentials.2015-04-01_14-40-003. Create a folder to put your SSL certificates. I like the ‘/root/ssl’ directory.

4. In WinSCP navigate to the C:\Certs\machine folder. Upload the new_machine.cer and ssl_key.priv files to the SSL directory on the VCSA. The other files in the machine folder are not needed, so don’t upload them. From the C:\certs folder upload the chain.cer AND the root64.cer files to the /root/ssl directory on the VCSA. Note that all the options begin with a double dash, not a single dash. Cut/paste may mangle the dashes and cause the command to fail. Best to manually type the whole command instead of cut/paste.

5. SSH into the VCSA and ensure you get a ‘shell’ prompt. This will be in red, and have the short name of the VCSA. Type the following command.

Windows :

“C:\Program Files\VMware\vCenter Server\vmafdd\dir-cli.exe” trustedcert publish –chain –cert c:\certs\chain.cer

VCSA:

/usr/lib/vmware-vmafd/bin/dir-cli  trustedcert publish –chain –cert /root/ssl/chain.cer

6. In the VCSA shell run the following command:

/usr/lib/vmware-vmca/bin/certificate-manager

6. Choose Option 1 from the main menu. Enter the SSO password as requested.

7. From the new menu select Option 2, Import custom certificates. Input the root certificate file names when prompted. Use /root/ssl/new_machine.cer for the first prompt and /root/ssl/ssl_key.priv for the second. For the third and final prompt enter /root/ssl/root64.cer.

2015-04-02_14-42-00a

 

8. After you enter all the certificate paths you will be prompted to continue. The whole replacement process takes less than two minutes.

Inspecting the Machine Certificate

Now that we have installed a new machine SSL certificate, we want to make sure it was issued by our enterprise CA and is trusted. This can easily be done via any browser of your choosing.

1. Launch your favorite browser and go to https://PSC-FQDN/websso/. Open the certificate properties for the SSL site.

2015-04-01_19-07-392. Click on the Certification Path, and verify that all of your enterprise CAs are listed. If you only see a single entry in this list, and not the full chain, that likely means your Windows computer does NOT trust the full chain. See your CA administrator for getting all of your enterprise CAs published through Active Directory.

2015-04-02_15-25-05

Solution Warning

A reader pointed out the SRM and other solutions may fail when replacing the machine certificate on vCenter or the PSC. If you find yourself in this situation, check out this VMware KB article for remediation.

Summary

When you aren’t using the VMware VMCA, you must mint and install a machine SSL certificate for the PSC from your enterprise CA. This certificate is used for all reverse proxy services, such as those accessed by HTTP. You can elect to either use my Toolkit script to install the machine cert, or the VMware tool. Either way, you end up with a trusted machine SSL certificate on your PSC.

vSphere 6.0 Install Pt. 10: Install VCSA PSC

New to my vSphere installation series is using the pre-packaged vCenter appliance (VCSA). Now that the VCSA is on par with the Windows vCenter server, I suspect more and more people will migrate to the appliance. So to that end, let’s install an external PSC using the VCSA. If you are using a Windows-based external PSC, then you can skip this blog post and go directly to Part 11 (VMCA as subordinate) when that gets published.

Blog Series

vSphere 6.0 Install Pt. 1: Introduction
vSphere 6.0 Install Pt. 2: Platform Services Controller
vSphere 6.0 Install Pt. 3: Certificate Management
vSphere 6.0 Install Pt. 4: vCenter Upgrade Best Practices
vSphere 6.0 Install Pt. 5: ESXi Upgrade Best Practices
vSphere 6.0 Install Pt. 6: Install Windows PSC
vSphere 6.0 Install Pt. 7: Config SQL DBs
vSphere 6.0 Install Pt. 8: Toolkit Configuration
vSphere 6.0 Install Pt. 9: SSL Templates
vSphere 6.0 Install Pt. 10: Install VCSA PSC
vSphere 6.0 Install Pt. 11: VMCA as Subordinate
vSphere 6.0 Install Pt. 12: PSC Machine Certificate
vSphere 6.0 Install Pt. 13: Directory Services Certificate
vSphere 6.0 Install Pt. 14: Windows vCenter Install

Permalink to this series: vexpert.me/Derek60
Permalink to my Toolkit script: vexpert.me/toolkit60

Deploy VCSA PSC

1. Download the VCSA ISO (yes ISO, not OVA) and mount it on a Windows VM.

2. Open the root of the ISO and click on the vcsa-setup.html file.

3. Since I’m assuming a fresh install, click on Install.2015-03-29_19-42-354. Accept the license agreement and click Next.

5. Enter the FQDN or IP address of the ESXi server which you want the PSC deployed on. Enter the associated credentials. Click next and wait for the verification to complete. You may get a warning about an untrusted SSL certificate. Accept it.

2015-03-29_19-48-33

6. On your DNS server configure A and PTR records for the PSC’s address. This is critical!

7. Enter the FQDN of your appliance, and a complex password. If your password is not complex enough it will warn you and provide the complexity requirements.

2015-03-29_19-51-28a8. Next up, select the PSC option and click Next.

2015-03-29_19-53-06

9. Now we get to configure SSO. Yippee! Since I’m assuming a new install, I’ll create a new SSO domain, enter a complex password, and SSO site name. Remember that you should NOT set your SSO domain name to the same as your Windows domain. You could use a sub-domain, such as sso.contoso.local. I’m sticking with vSphere.local.

2015-03-29_19-55-03

10. The appliance is automatically sizes for 2 vCPUs and 2GB of RAM. Not bad for a PSC. Click Next.

11. Next up is datastore selection. In my home lab I have datastores on my QNAP and VSAN. I’ll go with VSAN here.

2015-03-29_19-58-07

12. Now you get to configure your network settings. Everything here is self-explanatory. I used the public NTP servers for accurate time, and also enabled SSH (lower down on the screen).

2015-03-29_20-02-05a

13. On the summary screen review all of the details to ensure they are correct.

2015-03-29_20-04-18

14. Sit back for a few minutes and wait for your VCSA-based PSC to be installed!

2015-03-29_20-11-58

Summary

We walked through the manual process of deploying a VCSA-based PSC in your environment. The VMware wizard is very straight forward, and makes deploying the VCSA very easy. If you want to automate the deployment of the VCSA, check out William Lam’s awesome multi-part guide here. You can also check out an ‘official’ method of command line deployment here. Next up will be configuring the VMCA as a subordinate CA, which you can find here.

vSphere 6.0 Install Pt. 4: vCenter Upgrade Best Practices

Upgrades can be scary times with any enterprise product. The more your critical infrastructure relies on a particular solution, or set of solutions, the more imperative it is you fully understand and test the new product. Prior vSphere releases has taught us that thorough testing cannot be skipped and you should not rush a new product into production. No product is bug free, and each environment is different.

Normally for my vSphere installation series I do not cover upgrades, or go through an upgrade process in the series. Why? Customer environments wildly vary and a simple lab upgrade will likely not look like or behave like your environment. That’s why its so critical for you to test in your environment. My upgrade would not look like your upgrade. The more complex your topology, such as multiple SSO services, the more critical testing becomes.

But, what I am doing in this post and the next installment is covering upgrade best practices to help you understand your road ahead and things to keep in mind. This post covers vCenter only, and the next installment covers VMs, VMFS, and ESXi hosts.

Blog Series

vSphere 6.0 Install Pt. 1: Introduction
vSphere 6.0 Install Pt. 2: Platform Services Controller
vSphere 6.0 Install Pt. 3: Certificate Management
vSphere 6.0 Install Pt. 4: vCenter Upgrade Best Practices
vSphere 6.0 Install Pt. 5: ESXi Upgrade Best Practices
vSphere 6.0 Install Pt. 6: Install Windows PSC
vSphere 6.0 Install Pt. 7: Config SQL DBs
vSphere 6.0 Install Pt. 8: Toolkit Configuration
vSphere 6.0 Install Pt. 9: SSL Templates
vSphere 6.0 Install Pt. 10: Install VCSA PSC
vSphere 6.0 Install Pt. 11: VMCA as Subordinate
vSphere 6.0 Install Pt. 12: PSC Machine Certificate
vSphere 6.0 Install Pt. 13: Directory Services Certificate
vSphere 6.0 Install Pt. 14: Windows vCenter Install

Permalink to this series: vexpert.me/Derek60
Permalink to my Toolkit script: vexpert.me/toolkit60

vSphere 6.0 Upgrade Overview

  • Plan your upgrade – Extremely important. KB on update sequence is here.
  • Read the full vSphere 6.0 release notes here
  • Five major steps: vCenter, VUM, ESXi, VMs, VMFS
  • Key VMware Sites to bookmark: Documentation Center, Compatibility Guide, Interop matrix
  • If you upgrade Windows with a service pack or other system changes and get locked out of SSO, read this KB to regain access
  • Great KB on vCenter 6.0 topologies is here

Prior to 5.1 life was simple. You had vCenter Server, vCenter Database server, and vSphere web client. The vCenter server is NOT stateless, meaning the database is not all inclusive. The local vCenter server has SSL certificates and the ADAM database. ADAM is not just for linked mode but holds data such as licenses, roles, and permissions. If you are using vSphere 5.1, then ‘tags’ are also stored locally on the vCenter server and thus not in the database.

Starting with vSphere 5.1 and continuing with 5.5 you now have more roles, such as SSO, and you could even have a distributed topology. This makes upgrades more complex, and requires additional planning. vSphere 6.0 changes that up by adding the Platform Services Controller (PSC), which consumes the SSO service and adds new functionality. ADAM is now gone, replaced by an internal LDAP service.

Upgrade Matrix

  • In-place upgrade supports vCenter 4.x, 5.0.x, 5.1.x, and 5.5
  • VMware does NOT support directly migrating an existing 5.x or earlier vCenter Server to a new machine during the upgrade process
  • vCenter Server 6.0 can manage ESX/ESXi 5.x and higher hosts.
  • Check out the vSphere Upgrade Center here

System Requirements

  • Embedded install – 2 vCPUs, 8GB RAM (tiny environment), 100GB disk Recommended. For 400 hosts or 4000 VMs: 8 vCPU, 24GB RAM, 200GB disk. See this link for more Windows sizing details.
  • vCenter OS Support: Only supports Windows Server 2008 SP2 and later (including WS2012 R2). See this KB for the full support matrix.

New Install vs. In Place Upgrade

VMware recommends a fresh install, but sometimes its not just possible. However, do check out the “Inventory Snapshot” Fling, which is a great (unsupported) tool to migrate hosts, VM, and permissions from one Windows vCenter instance to another. It does NOT appear to support tags and currently has some vDS issues. Tags are not stored in the SQL database, so if you use tags then be sure to find a way to migrate them. If you are in a regulated industry and have strict audit requirements you may be legally required to maintain the historical data in your vCenter database and unable to start fresh.

Very recently released is the VCS to VCVA Converter. What is it? This is an unsupported (officially) method to migrate from a Windows vCenter to the Linux vCenter appliance. It’s released under the technical preview license. It looks very promising, and I’ve seen a lot of buzz on Twitter about it. So check it out, if you want to migrate to the vCenter appliance. I think the vCenter appliance is now production ready at-scale, so this is an excellent time to migrate off Windows.

If you are starting with a fresh install do take a close look at the VCSA. It now supports the same number of VMs and hosts as the Windows version, and is simple to deploy. New to vSphere 6.0 is the ability to do linked mode between VCSA instances. This is due to the removal of ADAM as a Linked Mode dependency. So if you’ve always been a Windows vCenter shop, now is a good time to evaluate going down the VCSA road. It has a new guided install, and pre-check installer too, so VMware is really trying to make it a full replacement. There’s still no external SQL server support, due to the lack of a GA Microsoft ODBC connector. But the embedded database is very scalable, so that shouldn’t be a big factor.

Installation – Then and Now

vSphere 6.0 features a new install sequence with a bit more guidance than previous versions. Gone is the “Simple Install” option and instead a scenario driven installer is used. For example, one of the first screens you will see presents several PSC deployment options. It also features a hard check for 2 vCPUs and at least 8GB of RAM. The following screen then presents you with SSO configuration options, such as creating a new SSO domain or joining an existing one. This is great for upgrades as you can connect to an existing SSO instance.

New to vSphere 6.0 is the embedded vPostgres database, which replaces the prior SQL express option. Don’t worry, you can still specify an external database, such as SQL or Oracle. I also like the new DSN refresh button, so you don’t have to remember to create your DSN before launching the installer. Unlike prior “simple” installer options, this new wizard prompts you for directory paths such as the base vCenter directory and a separate directory for the vCenter/PSC data. Nice!

Before you embark on your vCenter 6.0 install, a MUST read is the VMware vCenter Server 6.0 Deployment guide. It’s in excess of 100 pages, and goes through a lot of upgrade scenarios, deployment topologies, etc. I know it’s long, but after all this is an enterprise product with new topology options. Read thoroughly!

Linked Mode

Linked mode adds additional complications to the upgrade process. As you may recall you can’t link vCenters of different versions. So you first need to unjoin all vCenters from the linked mode group. Once you upgrade two vCenters to 6.0, you can then re-establish Linked Mode and add other 6.0 vCenters as they come online. The biggest problems with Linked Mode include DNS and NTP failures. It’s critical name resolution works (forward AND reverse) and that the server clocks are all synchronized. All vCenter servers that are linked must also be a part of the same SSO authentication domain. New to vSphere 6.0 is the ability to do linked mode between the VCSA and a Windows based vCenter. You can also do linked mode between VCSAs as well!

vCenter Appliance

The VCSA has undergone major scalability increases in 6.0. In 5.1 it was only rated for 5 hosts and 50 VMs when using the embedded database. With 6.0 that is increased to parity with the Windows scalability limits. So that makes it a much more viable solution for enterprise customers. You can NOT migrate from the Windows vCenter to the VCSA, officially. But as previously mentioned, you can try out the VCS to VCVA fling here.

Update Manager

Contrary to some rumors, VUM has not gone away in vSphere 6.0. Apparently the VUM replacement was not quite ready for prime time, so VUM still exists in 6.0. You can upgrade VUM from 4.x, 5.0 and 5.1 versions. VUM is still Windows only, so if you do deploy the VCSA you will still need a Windows server to host VUM. The web client in 6.0 also has limited VUM functionality, so the C# is still needed to do things like pushing patches and configuring baselines. During the upgrade you can’t change the installation or download paths. Scheduled tasks remain, but patch baselines are removed.

Summary

You need to carefully plan your upgrades, and understand all of the moving components. Generally you would start by upgrading vCenter, then your ESXi hosts. But you may have other products that depend on vCenter which need upgrading first. Thoroughly map out all of your dependencies, read the VMware documentation, then plan in an organized fashion how you are going to upgrade.

VMworld 2014: vCenter Server Architecture Deep Dive

Session INF2311, Justin King

vCenter Server Configuration Options: 5.0 –

Configuration Option for v5.5 #1:

  • Use simple installer
  • Multiple vCenters for different geographic locations
  • Single SSO authentication domain

Configuration for 5.5 #2:

  • Centralized SSO on dedicated VM
  • A datacenter with 3 or more solutions (e.g. vCAC, etc.)
  • Availability uses vSphere HA and network load balancer

Utilize A management cluster

  • Run multiple vCenter components together on same virtual machine minus the database
  • Recommendations: 3 vSphere Hosts, enable vSphere HA

vCenter SSO recommendations

  • Embedded vCenter SSO reduces complexity
  • Up to 8 instances
  • 12ms latency
  • Same vSphere.local domain
  • Centralized SSO-only VMs (3 or more solution like vCenter, vCAC, etc.)
  • All configurations: Backup each instance

vSphere client in vSphere 5.5 Update 2 supports HW v10. Yippee!

vCenter Server Tech Preview

  • VMware Platform services controller is now known as a “platform services controller” in addition to SSO. Certificates, licensing, etc. will register with the platform controller.
  • You can embed the PSC (platform service controller) with vCenter, just like you did with SSO
  • Think of the PSC as the new SSO, but with a lot more services
  • The existing SSO topologies (embedded or external) are valid for the SSO
  • You can mix and match PSC embedded and external instances, all sharing the same SSO domain

vSphere 6.0 Tech Preview Install and Upgrade

  • One installer that allows you to choose the deployment type (embedded or external PSC)
  • Asks for all input up front, validate, then will deploy the software
  • Scripted install for advanced users
  • Linux appliance install is completely new with a guided install with pre-check installer
  • Full upgrade path from 5.0, 5.1 and 5.5

Scalabiltiy

  • Appliance model is now on par with Windows in terms of number off VMs and ESXi hosts
  • Linked mode drops ADAM and will be supported on the Linux appliance

 

vSphere 5.5 Install Pt. 3: Upgrading vCenter

9-29-2013 7-39-13 AMUpgrades can be scary times with any enterprise product. The more your critical infrastructure relies on a particular solution, or set of solutions, the more imperative it is you fully understand and test the new product. vSphere 5.1 taught us that thorough testing cannot be skipped and you should not rush a new product into production.

Normally for my vSphere installation series I do NOT cover upgrades, or go through an upgrade process in the series. Why? Customer environments wildly vary and a simple lab upgrade will likely not look like or behave like YOUR environment. That’s why its so critical for you to test in your environment. My upgrade would not look like your upgrade.

But, what I am doing in this post and the next installment is covering upgrade best practices to help you understand your road ahead and things to keep in mind. It contains information from VMworld 2013 vSphere 5.5 upgrade sessions, plus links to resources that have been published post-GA. This post covers vCenter only, and the next installment covers VMs, VMFS, ESXi hosts, and other products.

Blog Series

SQL 2012 AlwaysOn Failover Cluster for vCenter
vSphere 5.5 Install Pt. 1: Introduction
vSphere 5.5 Install Pt. 2: SSO 5.5 Reborn
vSphere 5.5 Install Pt. 3: vCenter Upgrade Best Practices and Tips
vSphere 5.5 Install Pt. 4: ESXi Upgrade Best Practices and Tips 
vSphere 5.5 Install Pt. 5: SSL Deep Dive
vSphere 5.5 Install Pt. 6: SSL Certificate Template
vSphere 5.5 Install Pt. 7: Install SSO
vSphere 5.5 Install Pt. 8: Online SSL Minting
vSphere 5.5 Install Pt. 9: Offline SSL Minting
vSphere 5.5 Install Pt. 10: Update SSO Certificate
vSphere 5.5 Install Pt. 11: Install Web Client 
vSphere 5.5 Install Pt. 12: Configure SSO
vSphere 5.5 Install Pt. 13: Install Inventory Service
vSphere 5.5 Install Pt. 14: Create Databases
vSphere 5.5 Install Pt. 15: Install vCenter
vSphere 5.5 Install Pt. 16: vCenter SSL
vSphere 5.5 Install Pt. 17: Install VUM
vSphere 5.5 Install Pt. 18: VUM SSL
vSphere 5.5 Install Pt. 19: ESXi SSL Certificate

Permalink to this series: vexpert.me/Derek55
Permalink to the Toolkit script: vexpert.me/toolkit55

vSphere 5.5 Upgrade Overview

  • Plan your upgrade – Extremely important. KB on update sequence is here.
  • Five major steps: vCenter, VUM, ESXi, VMs, VMFS
  • Key VMware Sites to bookmark: Documentation Center, Compatibility Guide, Interop matrix
  • KB article here for vCenter 5.5 Upgrade using the Simple Installer
  • KB article here for vCenter 5.5 Upgrade using the Custom Installer
  • If you upgrade Windows with a service pack or other system changes and get locked out of SSO, read this KB to regain access
  • Upgrade vCenter to 5.5 before vSphere replication is upgraded (blog post here)

Prior to 5.1 life was simple. You had vCenter Server, vCenter Database server, and vSphere web client (introduced in 5.0, but rarely used). The vCenter server is NOT stateless, meaning the database is not all inclusive. The local vCenter server has SSL certificates and the ADAM database. ADAM is not just for linked mode but holds data such as licenses, roles, and permissions. So don’t stand up a fresh VM, install the “old” version on that VM then do an upgrade to 5.5 and expect everything to be there. It won’t be and further complicates your upgrade process. If you are using vSphere 5.1, then ‘tags’ are also stored locally on the vCenter server and thus not in the database.

Upgrade Matrix

  • In-place upgrade supports vCenter 4.x, 5.0.x, 5.1.x (must be 64-bit host)
  • VMware does NOT support directly migrating an existing 5.x or earlier vCenter Server to a new machine during the upgrade process
  • vCenter Server 5.5 can manage ESX/ESXi 4.x, 5.0.x  and 5.1.x hosts. It will NOT manage ESX 2.x or 3.x hosts.

System Requirements

  • Strongly recommend installing ALL vCenter components on a single VM – Simplified model
  • Simple install – 2 vCPUs, 12GB RAM, 100GB disk
  • Recommended for 400 hosts or 4000 VMs: 4 vCPU, 24GB RAM, 200GB disk
  • vCenter OS Support: Removes WS2003, only supports Windows Server 2008 SP2 and later (including WS2012 but NOT WS2012 R2)

New Install Vs. In Place Upgrade

VMware recommends a fresh install, but sometimes its not just possible. However, do check out the “Inventory Snapshot” Fling, which is a great (unsupported) tool to migrate hosts, VM, and permissions from one vCenter instance to another. It does NOT appear to support tags and currently has some vDS issues. Tags are not stored in the SQL database, so if you use tags then be sure to find a way to migrate them. If you are in a regulated industry and have strict audit requirements you may be legally required to maintain the historical data in your vCenter database and unable to start fresh.

If you have a sprawling 5.1 architecture, with different vCenter components on different VMs, strongly consider a fresh install and do not upgrade. As previously mentioned VMware now urges the “simple install” method where all components are on a single beefy VM. This is a great time to re-visit your architecture and make it easier to manage and follow 5.5 best practices. That’s not to say you can’t upgrade and consolidate at the same time, you can, and VMware has promised some blog posts on how to do just that.

I’ve read reports that upgrading a vCenter 5.1 instance with trusted SSL certificates to 5.5 had problems. I have not personally tried that yet, so I can’t report my own experience. So make sure you have full backups and a tested plan to revert back to 5.1 incase you experience problems.

VMware has stated that the vCenter Server appliance will be the ONLY deployment option sometime in the future. So if you are starting with a fresh install, do take a close look at the VCSA. It still has a few minor gotchas including no support for IPv6, Linked Mode or vCenter Heartbeat. Those features are probably not widely used, so if you aren’t using those features take a serious look at VCSA.

At this time an external SQL database is NOT supported for the VCSA, but in the future when Microsoft releases the ODBC driver for SUSE Linux (currently in tech preview), VMware will support it. VCSA is certified up to 100 hosts and 3000 VMs. If you need to scale beyond that, use Windows.

Installation – Then and Now

vSphere 5.5 features a new Install splash screen, and the component order is different from 5.1. Simple Install should only be used for the first vCenter. All subsequent vCenter/SSO installs should use the custom method. This is due to changes in SSO, and the new automatic replication among SSO servers. Even if you are doing a single vCenter install and want to customize it in ANY way, including directory paths, you must do the custom install.

Upgrade Paths

For “typical” single server upgrades the path is fairly simple. You can do an in place upgrade and all of the required components and configuration settings will be retained. If you are going from pre-5.1, then the only database in play is the vCenter database.

vCenter 5.5 upgrade

If you are already running 5.1, then the upgrade path is ever so slightly different. Since the SSO database in 5.1 is no more, that data is migrated into the new SSO internal database. So post upgrade you are left with only the vCenter upgrade. Yes, no more SQL authentication required or impossible to configure JDBC SSL.

vCenter 5.5 upgrade

If you are one of those adventurous customers that implemented a load balancer with SSO, VMware is really discouraging you to continue with that model. Its complex, SSL creates additional headaches, and just not needed in most environments. Big changes could be coming in the future, but it’s not recommended for 5.5. As mentioned in my previous installment, SSO Reborn, VMware recommends local SSO instances for each site/vCenter. SSO uses multi-master replication to sync data such as identity sources, users, group, and policies. A geographically distributed example is shown below. Notice the local SSO and vCenter instances at each site. VMware SSO 5.5

Linked Mode

Linked mode adds additional complications to the upgrade process. As you may recall you can’t link vCenters of different versions. So you first need to unjoin all vCenters from the linked mode group. Once you upgrade two vCenters to 5.5, you can then re-establish Linked Mode and add other 5.5 vCenters as they come online. The biggest problems with Linked Mode include DNS and NTP failures. It’s critical name resolution works (forward AND reverse) and that the server clocks are all synchronized. All vCenter servers that are linked must also be a part of the same SSO authentication domain.

Host Agent Pre-Upgrade Checker

A tool included on the vSphere 5.5 ISO is the Host Agent Pre-Upgrade checker. Personally I’ve never used it (slipped my mind that it existed). If you choose to use it some simple checks are done against your ESXi hosts to validate that an upgrade will be successful. It’s not exhaustive, so even if your hosts pass the check you could still run into issues. But it’s a little bit of insurance that major gotchas can be discovered ahead of time. It does check items such as sufficient disk space, functional network, file system consistency, required patches are applied.

vCenter Appliance

The VCSA has undergone major scalability increases in 5.5. In 5.1 it was only rated for 5 hosts and 50 VMs when using the embedded database. With 5.5 that is increased to 100 hosts and/or 3000 VMs. So that makes it a much more viable solution for enterprise customers. You can NOT migrate from the Windows vCenter to the VCSA. As mentioned before, there’s also no Linked Mode, vCenter Heartbeat or IPv6. Again, the road map is an appliance only model for vCenter, so now is an excellent time to try it out. VMware said upgrades to future versions will be pretty easy, simplifying life.

Update Manager

You can upgrade VUM from 4.x, 5.0 and 5.1 versions. VUM is still Windows only, so if you do deploy the VCSA you will still need a Windows server to host VUM. The web client in 5.5 also has limited VUM functionality, so the C# is still needed to do things like pushing patches and configuring baselines. During the upgrade you can’t change the installation or download paths. Scheduled tasks remain, but patch baselines are removed.

VMware has hinted/stated that VUM is going the way of the dodo bird. I would expect its replacement to be very different, and probably incorporated into the VCSA. I’m hoping in vSphere 6.0 there’s a good story on the VUM successor.

Summary

You need to carefully plan your upgrades, and understand all of the moving components. Generally you would start by upgrading vCenter, then your ESXi hosts. But you may have other products that depend on vCenter which need upgrading first. Thoroughly map out all of your dependencies, read the VMware documentation, then plan in an organized fashion how you are going to upgrade. If you are already on 5.1, custom SSL certificates may trip you up. So really make sure you have a full backup and roll-back plan in case things go pear shaped.

Next up in Part 4 are practices and tip for upgrading ESXi hosts, VMs, and VMFS datastores.