Vcenter 5

5/6/2014 vCenter 5.
1 Single Sign On High Availability| vHomeLab

http://vhomelab.wordpress.com/tag/vcenter-5-1-single-sign-on-high-availability/ 1/115
Tag Archives: vCenter 5.1 Single Sign On High Availability
Search Search
Blog Stats
15,675 hits
Archives
vHomeLab
virtualize everything!
Exchange 2010 PowerShell Active Directory PowerCLI vSphere
vCenter 5.1 Single Sign On (SSO)
High Availability using
Load Balancer
Posted on 12/02/2013 by Wasim Shaikh
The main goal of this article is to configure vCenter Single Sign On service in High Availability using
a Load Balancer. I will be using a Virtual Load Balancer to demonstrate.
Also in this article I have configured SSL, configuration of SSL is a very tricky and painful process. I have
followed Derek Seamans blog post for SSL configuration. I will suggest you to read his article series too.
5/6/2014 vCenter 5.1 Single Sign On High Availability| vHomeLab
October 2013
September 2013
May 2013
February 2013
January 2013
October 2012
September 2012
August 2011
July 2011
April 2011
March 2011
December 2010
Recent Posts
SCCM 2012Failed to
Run Task Sequence :
Program files for
<SITECODE>00001
cannot be located on a
distribution point
Export Active Directory
User details to Excel
using PowerShell
Changing UserName
There are many buttons and levers to push n pull which has to be done with patience.
To make repeatedly performed steps easier I have customized batch file. The batch files is not perfect at
this point. The batch script is not destructive, if done correctly the results will be as expected.
The steps mentioned in this article worked for me and I have gone through the process twice to make sure
it does works.
Any kind of correction will be updated anytime.
Below is the details of Lab setup which I have used.
Domain Name: VHL.com
VHL-DC.VHL.com
Windows 2003 R2 Domain Controller
IP: 192.168.100.101
SQL 2008 R2 x64
SQL2K8R2.VHL.com
Windows Server 2008 R2 x64
IP: 192.168.100.105
Enterprise Root Certificate Authority
VHLCA.VHL.com
and SMTP addresses
in bulk
Exchange 2010
PowerShell Remoting
vCenter 5.1 Single Sign
On (SSO) High
Availability using
Load Balancer
Tags
Bulk Change UserName
and SMTP email
addresses Configure and
Install SSL certificate in
vCenter 5.0.x Error
Code:0xC0000064 Event
ID 680 Exchange 2010
Database Status
Exchange 2010 Mailbox
account script Exchange
2010 Remoting Exchange
2010 Standalone RootCA
EXPI9301CTBLK Export
AD User Failed to Run
IP: 192.168.100.102
Stingray Traffic Manager (Virtual appliance Load Balancer)
STMLB.vhl.com
IP: 192.168.100.103
vCenter Single Sign On (Node1)
SSOA.VHL.com
IP: 192.168.100.106
vCenter Single Sign On (Node2)
SSOB.VHL.com
IP: 192.168.100.107
vCenter Inventory Service
VCINV.VHL.com
IP: 192.168.100.108
vCenter Server
vCenter.VHL.com
IP: 192.168.100.109
Task Sequence Intel
Gigabit CT PCI-E Network
Adapter Inventory Service
Management Network to
Distributed Switch
MICROSOFT_AUTHENTI
CATION_PACKAGE_V1_
0 Migrating Virtual Center
4.0 to vCenter 5.0 Move
Virtual Center database
from SQL 2005 to SQL
2008 R2. nltest OpenSSL
Operation is not allowed
in current state of host
PowerShell Powershell
Remoting Quest AD
Management Report
SCCM 2012 Setup and
Configure vSPhere
Distributed Switch on
vSphere 5.0 The
Certificate Status could
not be determined
because the revocation
check failed upgrade
vCenter Web Client
WCA.VHL.com
IP: 192.168.100.110
Stingray Traffic Manager Virtual Server
SSOHA.vhl.com
IP: 192.168.100.111
1. Configure Certificate Template for vCenter in MS Enterprise Root Certificate Authority
2. Preparing MS SQL2008-R2 Database for Single Sign On
3. Installing Single Sign On Service on Node1 (SSOA)
4. Installing Single Sign On Service on Node2 (SSOB)
5. Configure Stingray Traffic Manager Virtual Load Balancer
6. Creating SSL Certificate and necessary associated files
7. Updating SSO SSL/KeyStore on Node1 and Node2 (SSOA and SSOB)
8. Creating SSL Certificate and Installing vCenter Inventory Service
9. Creating SSL Certificate and Installing vCenter Server
10. Creating SSL Certificate and Installing vCenter Web Client
11. Testing Single Sign On fail-over
Download batch script (Updated on 02/15/2013)
If you have Enterprise CA in same domain as your vCenter, edit the script to provide CA name, Username
and Password.
virtual center to vCenter
server 5.0 vcenter 5.1
Installation vCenter 5.1
Single Sign On High
Availability vCenter 5.1
SSO HA vCenter Single
Sign On using Load
Balancer vDS vmware
single sign on vSphere
Distributed Switch
vSphere Web Client
Installation
Without this information the script will fail to generate certificate.
In case you dont have Enterprise CA, comment the script block that sends request and generates
certificate from CA.
Configure Certificate Template for vCenter in MS Enterprise Root
Certificate Authority.
vSphere need Certificates in which the Key Usage extension is set to Allow
Encryption of user data.
By default the Web Server certificate template, does not have this option enabled for
key usage extension. So we will start by creating a custom template which we will be
using to issue certificates for all vCenter roles.
From Server Manager, browse to Certificate template and Duplicate Web Server.
Select Windows Server 2003 Enterprise
Name Template as vSphereSSL better to use a name without space.
IMPORTANT: Under Extensions tab Edit Key Usage and select Allow encryption of user data
Add the newly created template to Certificate Templates
SSL Template configuration is complete.
Preparing MS SQL2008-R2 Database for Single Sign On.
To setup Database for SSO, we need to run sql scripts provided in installation media.
These scripts will create the database and appropriate users required during the setup of SSO.
Make sure you change the Database Path and User Password within the script.
Login to SQL Management Studio with SA account.
The scripts are located in installation media at /Single Sign
On\DBScripts\SSOServer\Schema\mssql
- rsaIMSLiteMSSQLSetupTableSpaces.sql
- rsaIMSLiteMSSQLSetupUsers.sql
1st run SetupTableSpaces.sql script and change the database path.
Make sure you have the directory created, else the script will give error.
Run SetupUsers.sql script and change the password before you execute.
Now open SQL Configuration Manager, browse to Network Configuration select TCP/IP and under
properties page check if you have TCP Port set to 1433
If you have different port, then there are high possibilities that you will be facing error when setup wizard
tries to connect to SQL Server Instance.
This completes the SQL Server Setup.
Installing Single Sign On Service on Node1 (SSOA)
Lets begin installation.
Make sure you have .Net 3.5 feature enabled before you proceed.
Start the Installation wizard.
Select Create the Primary Node for a new vCenter SSO installation option
Select Crete Primary Node for a new vCenter SSO Installation option
Enter the password for admin@system-domain user account.
Make sure you remember this password till you have vCenter 5.1 in your environment.
You should remember this password even if you have changed it some time later.
Select use an existing supported database option.
As we will be using a dedicated SQL server for vCenter.
Enter the information for connecting to SQL Database.
The Database Name that is created using script is RSA.
The Users are RSA_USER and RSA_DBA
Check the FQDN is correct.
Follow
Follow vHomeLab
Get every new post delivered
to your Inbox.
Enter your email address
Sign me up
Keep the default port 7444
Sign me up
Powered by WordPress.com
Setup is complete.
Update SSOlscli.jar file located at c:\Program Files\VMWare\Infrastructure\SSOServer\ssolscli with
the file attached in KB2033588
Installing Single Sign On Service on Node2 (SSOB)
Start Installation on Node2 (SSOB)
Select Join Existing vCenter SSO Installation option
Select High Availability option
Enter FQDN of SSOA Node1
Port will be 7444
Password of Admin@System-Domain user that you entered while installing SSO service on Node1
(SSOA)
Install the certificate
Check the FQDN of Server.
Keep the port default i.e., 7444
Installation Completed
Now we need to make changes to server.xml file located at C:\Program
Files\VMWare\Infrastructure\SSOServer\Conf
Find: <Engine defaultHost=localhost name=Catalina>
On Node1 Change it to: <Engine defaultHost=localhost name=Catalina jvmRoute=node1>
Where node1 will be DNS name of Node1 i.e., SSOA
On Node2 Change it to: <Engine defaultHost=localhost name=Catalina jvmRoute=node2>
Where node2 will be DNS name of Node2 i.e., SSOB
Configure Stingray Traffic Manager Virtual Load Balancer
We will be using Stingray TM (STM) as our virtual Load Balancer.
We need to create a Virtual Server to which other services of vCenter will point to access SSO Service.
1st we will create a certificate for SSO Virtual Server.
FQDN of SSO Virtual Server will be ssoha.vhl.com
Login to STMLB webpage.
Browse to Catalog / SSL and under SSL Server Certificates Catalog select Edit
Select Certificate Signing Request option
Enter Appropriate information to generate a request file.
Once request is created, on the same page select Export CSR option
Copy the request data and submit to CA to get a certificate file.
Select Certificate Template as vSphereSSL which we have customized.
Save the certificate file as Base-64 encoded.
Open the saved Certificate in Notepad and copy data.
Now we have got the Certificate for Virtual Server i.e., ssoha.vhl.com
Now, we will add Root CA Certificate and CRL
Save Root CA Certificate and CRL from the CA website.
Browse to Catalog / SSL under Certificate Authorities and Certificate Revocation catalog select
Edit
Browse the RootCA Certificate.
Now add CRL. by selecting Import Certificate or CRL option
Browse the CRL file and Import.
Now we will create a Pool of Nodes. (SSOA and SSOB)
Browse to Services / Pools.
Enter a Pool Name, and IP address with Port for Node1 SSOA.
Next, add Node2 SSOB and Update the settings.
Scroll down to end of the page and Edit SSL Settings for this SSOHA-Pool
Select Yes for SSL_Encrypt option.
Now, we will create a Virtual Server for SSOHA-Pool
This has created a Virtual Server. we will give an IP address to SSOHA Virtual Server by creating a Traffic
IP Group.
Click on Traffic IP Groups to define a group.
Enter a Name and IP address. Add this IP address in DNS server for ssoha.vhl.com
Run SSL Decrypt Setup Wizard
Now, lets create Rules.
browse Catalog / Rules
We want traffic to flow to proper nodes, for that we will create Mapping Rules.
We have Conditions and Actions tab on right. Select options from these tab to create Rules.
E.g.,
Condition: URL Path Contains /groupcheck
Actions: Set URL Path /sso-adminserver
In similar way create these rules.
RuleName > URL Path > Set URL Path
GroupCheck > /groupcheck > /sso-adminserver
ims > /ims > /ims/STSService
Lookup > /lookupService > /lookupService
SSO-AdminServer > /sso-adminserver > /sso-adminserver/sdk (SSOA Pool)
NOTE: For sso-adminserver we need to select a pool as well, so create a pool which
contains just a single node i.e., Node1 SSOA server IP address. (Pool can be created the
same way as we created for Node1 and Node2)
Now apply these rules to Virtual Server.
Browse to Services / Virtual Server / SSOHA / Rules and add the rules from drop down.
On Home tab, click Play button to start SSOHA Virtual Server.
At this point we have configured Virtual LB.
Creating SSL Certificate and necessary associated files
IMPORTANT: Install OpenSSL 32bit on SSOA server on C Drive. (default installation)
We will be using a Batch script to automate creation of OpenSSL Config (.cfg), Certificate request
(rui.csr), Private Key (rui.key), Base-64 Encoded Certificate (rui.crt), PFX file (rui.pfx), root-trust.jks
and server-identity.jks.
I am assuming that you have Enterprise Root CA in your Active Directory Domain Environment.
If you have CA in a different domain, please feel free to edit the script and comment the process of creating
Certificate automatically. (I will update the script to prompt for confirmation later).
Browse to CA webpage.
Download CA Certificate, Certificate Chain.
Select Base-64 and Download CA Certificate Chain.
Save the file as CAChain at folder location C:\Certs
Open CAChain and browse to Certificates, Located the certificate in right-pane and Export.
Export in Base-64 Encoded x.509 format.
Save it file at location C:\Certs and name it as Root64.cer
Now, we will run the CreateSSLFiles.bat file to generate necessary files.
The script will generate Config file based on the inputs you provide.
Config file will be used by OpenSSL to generate a certificate request file (.cer)
Certificate request file (.cer) is used to provide data to CA to give us a SSL Certificate.
Select a Service for which you want to generate SSL.
Enter appropriate data.
Make sure you enter data correctly, any wrong data will lead to a wrong SSL and you will have to re-run/re-
create SSL.
After you enter the data, verify that it is correct and select the appropriate option to continue.
When you are prompted to create JKS files and if you select 1. (Yes)
You will be again prompted by the creation process whether you trust the RootCA. Type YES.
JKS files are jave keystore files which is used to update SSO service.
It is important to have Root64.cer file in C:\Certs location.
Once Completed, check the location C:\Certs\SingleSignOn\
Make sure rui.crt, rui.key, rui.pfx, root-trust.jks and server-identity.jks files are present.
Confirm the certificate by opening rui.crt file and see the entries reflecting are according to your
requirements.
Updating SSO SSL/keystore on Node1 and Node2(SSOA and SSOB)
We will start by copying files generated in previous step to proper locations.
Create a folder SingleSignOn/SSL under C:\ProgramData\VMWare
Copy root-trust.jks, server-identity.jks, rui.key, rui.crt, rui.pfx to this new directory
C:\ProgramData\VMWare\SingleSignOn\SSL
Copy Root64.cer from C:\Certs folder to this new directory.
Create following files under C:\Certs
NOTE: there is NO file extension to these files. (.txt)
sts.properties
gc.properties
admin.properties
sts_id
gc_id
admin_id
.properties file will contain the properties of SSO service endpoints and _id files will hold pointer to these
endpoints.
Make sure, in .properties files you have proper URL to Virtual Server i.e., https://ssoha.chl.com:7444
and also the location of Root64.cer should be set to
C:\ProgramData\VMWare\SingleSignOn\SSL\Root64.cer
STS.properties file.
gc.properties file.
admin.properties file.
To get Service ID we need to run following commands in prompt.
Set JAVA_HOME=C:\Program Files\VMWare\Infrastructure\jre
CD C:\Program Files\VMWare\Infrastructure\SSOServer\ssolscli
ssolscli listServices https://ssoa.vhl.com:7444/lookupservice/sdk
NOTE: JAVA_HOME path should be without Quotes
listServices is case sensitive.
You will get list of service endpoints and their details.
Refer to type=urn : sts to identity the endpoint and copy the ServiceID to nodepad and save them as _id
To update SSO service endpoints, use following command.
NOTE: to run this command JAVA_HOME should be set.
updateService is case sensitive.
ssolscli updateService d https://ssoa.vhl.com:7444/lookupservice/sdk u
admin@System-Domain p Password_U_set-B4 si c:\Certs\sts_id -ip
c:\Certs\sts.properties
While updating gc endpoint I got error ServiceNotResponding 2
as you can see, the error was coming up when it was trying to connect to STSService endpoint using URL
https://ssoha.vhl.com
Instantly DNS came to my mind, as I forgot to create Host( A) record for ssoha.
Once created, Flush the DNS using ipconfig /flushdns and run the command again.
To check, Run
ssolscli listServices https://ssoha.vhl.com:7444/lookupservice/sdk
Now let us update SSO SSL/Keystore.
Stop Single Sign On Service.
Go to C:\Program Files\VMWare\Infrastructure\SSOServer\Security directory, backup root-trust.jks and
server-identity.jks file.
Copy New root-trust.jks and server-identity.jks from C:\Certs\SingleSignOn to \SSOServer\Security
Open command prompt and set directory to C:\Program Files\VMware\Infrastructure\SSOServer\utils
Run ssocli configure-riat a configure-ssl keystore-file
c:\ProgramData\VMware\SingleSignOn\SSL\root-trust.jks keystore-password
testpassword
Start Single Sign On Service
Open a browser and go to URL https://ssoa.vhl.com:7444/lookupservice/sdk
check the certificate in browser.
Update SSO Service Keystore the same way as we did for SSOA.
- Generate SSL certificate
- Create rui.PFX
- Create root-trust.jks and server-identity.jks
(Files will be created by batch script)
- Place all files including root64.cer in C:\Programdata\VMware\SingleSignOn\SSL
- Stop Single Sign On Service
- Run SSOcli command
- Start Single Sign On Service.
- Check the certificate in browser.
Creating SSL Certificate and Installing vCenter Inventory Service
We will start this section by creating SSL Certificates.
Install OpenSSL-Win32, Create a folder Certs on C:\ and copy Root64.cer to this location.
Run CreateSSLFiles.bat file from command prompt.
As .JKS files are not required for Inventory service, the script will not generate them.
All necessary files will be created.
Copy rui.crt, rui.key, rui.pfx to c:\ProgramData\VMWare\Infrastructure\Inventory Service\ssl
NOTE: The directory structure will be present, create all necessary directories.
Now let us start installation of Inventory Service.
When prompted for Lookup Service URL enter Virtual Server URL
https://ssoha.vhl.com:7444/lookupservice/sdk
You can check the logs on LB to see if the communication is going as expected.
You will have to enable logging under System / Global Settings
Installation is complete.
Check if Certificate has installed properly.
Go to browser and browse https://vcinv.vhl.com:10443
Creating SSL Certificate and Installing vCenter Server
Start the process by installing OpenSSL-Win32
Create Certs folder on C:\ and copy Root64.cer file to it.
Run the script CreateSSLFiles.bat
The files will be saved in C:\Certs\vCenter folder.
Copy rui.crt, rui.pfx and rui.key to C:\ProgramData\Vmware\VMware VirtualCenter\ssl
Copy Root64.cer file as well.
Prepare SQL Database for vCenter
Prepare MSSQL Database by running the script provided in installation media.
Customize the script to change the username and password, also set the location of database.
Make sure you create the database directory 1st then run the script.
Create an ODBC System DNS connection to the Database that is created.
vCenter uses SQL Server native Client make sure you download and install it 1st.
Start the vCenter Server Installation.
Select the ODBC connection that we created.
Enter the username and password for ODBC connection.
We are installing 1st vCenter server so we will select to create a standalone server instance.
Enter the Virtual Server URL when asked for Lookup service URL.
Enter the user account which will be assigned administrator permissions to access vCenter instance.
You can also add a group (groupname@domain.com) and select the option The administrator is a user
group
Enter the URL for Inventory Service i.e., https://vcinv.vhl.com:10443
Check the logs of LB to see communication is happening as expected.
Once the installation is complete you can check the status of SSL certificate by browsing to
https://vcenter.vhl.com:8443
This completes the installation of vCenter Server.
Creating SSL Certificate and Installing vCenter Web Client
Start the process by installing OpenSSL-Win32
Create Certs folder on C:\ and copy Root64.cer file to it.
Run the script CreateSSLFiles.bat
The files will be saved in C:\Certs\WebClient folder.
Copy rui.crt, rui.pfx and rui.key to C:\ProgramData\Vmware\vSphere Web Client\ssl
Copy Root64.cer file as well.
Start the installation.
Once the installation complete, browse https://wca.vhl.com:9443
Testing Single Sign On fail-over
To test what will happen in case of Primary node Node1 (SSOA) goes down, I have disabled to network
on SSOA server.
Load Balancer is showing all RED
Lets try to login.
and the login goes through.
Lets check the logs.
request for SSOA /sso-adminserver is not going through.
This is coz the admin service is available only on primary node.
Let us try to login using Admin@system-Domain account.
So you are not able to manage SSO, and again thats coz Admin service is located on Primary Node.
Blog at WordPress.com. | The Able Theme.
I will update the article with more useful information if any after performing some more tests.
Posted in vmware, vSphere | Tagged vCenter 5.1 Single Sign On High Availability, vCenter 5.1 SSO HA, vCenter
Single Sign On using Load Balancer | 4 Comments
Exchange 2010 PowerShell Active Directory PowerCLI vSphere

Vcenter 5

Загружено:

Сведения о документе

Исходное описание:

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Vcenter 5

Загружено:

Авторское право:

Доступные форматы

5/6/2014 vCenter 5.

1 Single Sign On High Availability| vHomeLab

Вам также может понравиться