0 оценок0% нашли этот документ полезным (0 голосов)
39 просмотров115 страниц
The main goal of this article is to configure vCenter Single Sign On service in High Availability using a Load Balancer. Also in this article I have configured SSL, configuration of SSL is a very tricky and painful process. The steps mentioned in this article worked for me and I have gone through the process twice to make sure it does works.
The main goal of this article is to configure vCenter Single Sign On service in High Availability using a Load Balancer. Also in this article I have configured SSL, configuration of SSL is a very tricky and painful process. The steps mentioned in this article worked for me and I have gone through the process twice to make sure it does works.
The main goal of this article is to configure vCenter Single Sign On service in High Availability using a Load Balancer. Also in this article I have configured SSL, configuration of SSL is a very tricky and painful process. The steps mentioned in this article worked for me and I have gone through the process twice to make sure it does works.
http://vhomelab.wordpress.com/tag/vcenter-5-1-single-sign-on-high-availability/ 1/115 Tag Archives: vCenter 5.1 Single Sign On High Availability Search Search Blog Stats 15,675 hits Archives vHomeLab virtualize everything! Exchange 2010 PowerShell Active Directory PowerCLI vSphere vCenter 5.1 Single Sign On (SSO) High Availability using Load Balancer Posted on 12/02/2013 by Wasim Shaikh The main goal of this article is to configure vCenter Single Sign On service in High Availability using a Load Balancer. I will be using a Virtual Load Balancer to demonstrate. Also in this article I have configured SSL, configuration of SSL is a very tricky and painful process. I have followed Derek Seamans blog post for SSL configuration. I will suggest you to read his article series too. 5/6/2014 vCenter 5.1 Single Sign On High Availability| vHomeLab http://vhomelab.wordpress.com/tag/vcenter-5-1-single-sign-on-high-availability/ 2/115 October 2013 September 2013 May 2013 February 2013 January 2013 October 2012 September 2012 August 2011 July 2011 April 2011 March 2011 December 2010 Recent Posts SCCM 2012Failed to Run Task Sequence : Program files for <SITECODE>00001 cannot be located on a distribution point Export Active Directory User details to Excel using PowerShell Changing UserName There are many buttons and levers to push n pull which has to be done with patience. To make repeatedly performed steps easier I have customized batch file. The batch files is not perfect at this point. The batch script is not destructive, if done correctly the results will be as expected. The steps mentioned in this article worked for me and I have gone through the process twice to make sure it does works. Any kind of correction will be updated anytime. Below is the details of Lab setup which I have used. Domain Name: VHL.com VHL-DC.VHL.com Windows 2003 R2 Domain Controller IP: 192.168.100.101 SQL 2008 R2 x64 SQL2K8R2.VHL.com Windows Server 2008 R2 x64 IP: 192.168.100.105 Enterprise Root Certificate Authority VHLCA.VHL.com Windows Server 2008 R2 x64 5/6/2014 vCenter 5.1 Single Sign On High Availability| vHomeLab http://vhomelab.wordpress.com/tag/vcenter-5-1-single-sign-on-high-availability/ 3/115 and SMTP addresses in bulk Exchange 2010 PowerShell Remoting vCenter 5.1 Single Sign On (SSO) High Availability using Load Balancer Tags Bulk Change UserName and SMTP email addresses Configure and Install SSL certificate in vCenter 5.0.x Error Code:0xC0000064 Event ID 680 Exchange 2010 Database Status Exchange 2010 Mailbox account script Exchange 2010 Remoting Exchange 2010 Standalone RootCA EXPI9301CTBLK Export AD User Failed to Run IP: 192.168.100.102 Stingray Traffic Manager (Virtual appliance Load Balancer) STMLB.vhl.com IP: 192.168.100.103 vCenter Single Sign On (Node1) SSOA.VHL.com Windows Server 2008 R2 x64 IP: 192.168.100.106 vCenter Single Sign On (Node2) SSOB.VHL.com Windows Server 2008 R2 x64 IP: 192.168.100.107 vCenter Inventory Service VCINV.VHL.com Windows Server 2008 R2 x64 IP: 192.168.100.108 vCenter Server vCenter.VHL.com Windows Server 2008 R2 x64 IP: 192.168.100.109 5/6/2014 vCenter 5.1 Single Sign On High Availability| vHomeLab http://vhomelab.wordpress.com/tag/vcenter-5-1-single-sign-on-high-availability/ 4/115 Task Sequence Intel Gigabit CT PCI-E Network Adapter Inventory Service Management Network to Distributed Switch MICROSOFT_AUTHENTI CATION_PACKAGE_V1_ 0 Migrating Virtual Center 4.0 to vCenter 5.0 Move Virtual Center database from SQL 2005 to SQL 2008 R2. nltest OpenSSL Operation is not allowed in current state of host PowerShell Powershell Remoting Quest AD Management Report SCCM 2012 Setup and Configure vSPhere Distributed Switch on vSphere 5.0 The Certificate Status could not be determined because the revocation check failed upgrade vCenter Web Client WCA.VHL.com Windows Server 2008 R2 x64 IP: 192.168.100.110 Stingray Traffic Manager Virtual Server SSOHA.vhl.com IP: 192.168.100.111 1. Configure Certificate Template for vCenter in MS Enterprise Root Certificate Authority 2. Preparing MS SQL2008-R2 Database for Single Sign On 3. Installing Single Sign On Service on Node1 (SSOA) 4. Installing Single Sign On Service on Node2 (SSOB) 5. Configure Stingray Traffic Manager Virtual Load Balancer 6. Creating SSL Certificate and necessary associated files 7. Updating SSO SSL/KeyStore on Node1 and Node2 (SSOA and SSOB) 8. Creating SSL Certificate and Installing vCenter Inventory Service 9. Creating SSL Certificate and Installing vCenter Server 10. Creating SSL Certificate and Installing vCenter Web Client 11. Testing Single Sign On fail-over Download batch script (Updated on 02/15/2013) If you have Enterprise CA in same domain as your vCenter, edit the script to provide CA name, Username and Password. 5/6/2014 vCenter 5.1 Single Sign On High Availability| vHomeLab http://vhomelab.wordpress.com/tag/vcenter-5-1-single-sign-on-high-availability/ 5/115 virtual center to vCenter server 5.0 vcenter 5.1 Installation vCenter 5.1 Single Sign On High Availability vCenter 5.1 SSO HA vCenter Single Sign On using Load Balancer vDS vmware single sign on vSphere Distributed Switch vSphere Web Client Installation Without this information the script will fail to generate certificate. In case you dont have Enterprise CA, comment the script block that sends request and generates certificate from CA. Configure Certificate Template for vCenter in MS Enterprise Root Certificate Authority. vSphere need Certificates in which the Key Usage extension is set to Allow Encryption of user data. By default the Web Server certificate template, does not have this option enabled for key usage extension. So we will start by creating a custom template which we will be using to issue certificates for all vCenter roles. From Server Manager, browse to Certificate template and Duplicate Web Server. 5/6/2014 vCenter 5.1 Single Sign On High Availability| vHomeLab http://vhomelab.wordpress.com/tag/vcenter-5-1-single-sign-on-high-availability/ 6/115 Select Windows Server 2003 Enterprise 5/6/2014 vCenter 5.1 Single Sign On High Availability| vHomeLab http://vhomelab.wordpress.com/tag/vcenter-5-1-single-sign-on-high-availability/ 7/115 Name Template as vSphereSSL better to use a name without space. 5/6/2014 vCenter 5.1 Single Sign On High Availability| vHomeLab http://vhomelab.wordpress.com/tag/vcenter-5-1-single-sign-on-high-availability/ 8/115 IMPORTANT: Under Extensions tab Edit Key Usage and select Allow encryption of user data 5/6/2014 vCenter 5.1 Single Sign On High Availability| vHomeLab http://vhomelab.wordpress.com/tag/vcenter-5-1-single-sign-on-high-availability/ 9/115 Add the newly created template to Certificate Templates 5/6/2014 vCenter 5.1 Single Sign On High Availability| vHomeLab http://vhomelab.wordpress.com/tag/vcenter-5-1-single-sign-on-high-availability/ 10/115 5/6/2014 vCenter 5.1 Single Sign On High Availability| vHomeLab http://vhomelab.wordpress.com/tag/vcenter-5-1-single-sign-on-high-availability/ 11/115 SSL Template configuration is complete. Preparing MS SQL2008-R2 Database for Single Sign On. To setup Database for SSO, we need to run sql scripts provided in installation media. These scripts will create the database and appropriate users required during the setup of SSO. Make sure you change the Database Path and User Password within the script. Login to SQL Management Studio with SA account. The scripts are located in installation media at /Single Sign 5/6/2014 vCenter 5.1 Single Sign On High Availability| vHomeLab http://vhomelab.wordpress.com/tag/vcenter-5-1-single-sign-on-high-availability/ 12/115 On\DBScripts\SSOServer\Schema\mssql - rsaIMSLiteMSSQLSetupTableSpaces.sql - rsaIMSLiteMSSQLSetupUsers.sql 1st run SetupTableSpaces.sql script and change the database path. Make sure you have the directory created, else the script will give error. 5/6/2014 vCenter 5.1 Single Sign On High Availability| vHomeLab http://vhomelab.wordpress.com/tag/vcenter-5-1-single-sign-on-high-availability/ 13/115 Run SetupUsers.sql script and change the password before you execute. 5/6/2014 vCenter 5.1 Single Sign On High Availability| vHomeLab http://vhomelab.wordpress.com/tag/vcenter-5-1-single-sign-on-high-availability/ 14/115 Now open SQL Configuration Manager, browse to Network Configuration select TCP/IP and under properties page check if you have TCP Port set to 1433 If you have different port, then there are high possibilities that you will be facing error when setup wizard tries to connect to SQL Server Instance. 5/6/2014 vCenter 5.1 Single Sign On High Availability| vHomeLab http://vhomelab.wordpress.com/tag/vcenter-5-1-single-sign-on-high-availability/ 15/115 This completes the SQL Server Setup. Installing Single Sign On Service on Node1 (SSOA) Lets begin installation. Make sure you have .Net 3.5 feature enabled before you proceed. Start the Installation wizard. 5/6/2014 vCenter 5.1 Single Sign On High Availability| vHomeLab http://vhomelab.wordpress.com/tag/vcenter-5-1-single-sign-on-high-availability/ 16/115 Select Create the Primary Node for a new vCenter SSO installation option 5/6/2014 vCenter 5.1 Single Sign On High Availability| vHomeLab http://vhomelab.wordpress.com/tag/vcenter-5-1-single-sign-on-high-availability/ 17/115 Select Crete Primary Node for a new vCenter SSO Installation option 5/6/2014 vCenter 5.1 Single Sign On High Availability| vHomeLab http://vhomelab.wordpress.com/tag/vcenter-5-1-single-sign-on-high-availability/ 18/115 Enter the password for admin@system-domain user account. Make sure you remember this password till you have vCenter 5.1 in your environment. You should remember this password even if you have changed it some time later. 5/6/2014 vCenter 5.1 Single Sign On High Availability| vHomeLab http://vhomelab.wordpress.com/tag/vcenter-5-1-single-sign-on-high-availability/ 19/115 Select use an existing supported database option. As we will be using a dedicated SQL server for vCenter. 5/6/2014 vCenter 5.1 Single Sign On High Availability| vHomeLab http://vhomelab.wordpress.com/tag/vcenter-5-1-single-sign-on-high-availability/ 20/115 Enter the information for connecting to SQL Database. The Database Name that is created using script is RSA. The Users are RSA_USER and RSA_DBA 5/6/2014 vCenter 5.1 Single Sign On High Availability| vHomeLab http://vhomelab.wordpress.com/tag/vcenter-5-1-single-sign-on-high-availability/ 21/115 Check the FQDN is correct. Follow Follow vHomeLab Get every new post delivered to your Inbox. Enter your email address Sign me up 5/6/2014 vCenter 5.1 Single Sign On High Availability| vHomeLab http://vhomelab.wordpress.com/tag/vcenter-5-1-single-sign-on-high-availability/ 22/115 Keep the default port 7444 Sign me up Powered by WordPress.com 5/6/2014 vCenter 5.1 Single Sign On High Availability| vHomeLab http://vhomelab.wordpress.com/tag/vcenter-5-1-single-sign-on-high-availability/ 23/115 Setup is complete. 5/6/2014 vCenter 5.1 Single Sign On High Availability| vHomeLab http://vhomelab.wordpress.com/tag/vcenter-5-1-single-sign-on-high-availability/ 24/115 Update SSOlscli.jar file located at c:\Program Files\VMWare\Infrastructure\SSOServer\ssolscli with the file attached in KB2033588 5/6/2014 vCenter 5.1 Single Sign On High Availability| vHomeLab http://vhomelab.wordpress.com/tag/vcenter-5-1-single-sign-on-high-availability/ 25/115 Installing Single Sign On Service on Node2 (SSOB) Start Installation on Node2 (SSOB) Select Join Existing vCenter SSO Installation option 5/6/2014 vCenter 5.1 Single Sign On High Availability| vHomeLab http://vhomelab.wordpress.com/tag/vcenter-5-1-single-sign-on-high-availability/ 26/115 Select High Availability option Enter FQDN of SSOA Node1 Port will be 7444 Password of Admin@System-Domain user that you entered while installing SSO service on Node1 (SSOA) 5/6/2014 vCenter 5.1 Single Sign On High Availability| vHomeLab http://vhomelab.wordpress.com/tag/vcenter-5-1-single-sign-on-high-availability/ 27/115 Install the certificate 5/6/2014 vCenter 5.1 Single Sign On High Availability| vHomeLab http://vhomelab.wordpress.com/tag/vcenter-5-1-single-sign-on-high-availability/ 28/115 Check the FQDN of Server. 5/6/2014 vCenter 5.1 Single Sign On High Availability| vHomeLab http://vhomelab.wordpress.com/tag/vcenter-5-1-single-sign-on-high-availability/ 29/115 Keep the port default i.e., 7444 5/6/2014 vCenter 5.1 Single Sign On High Availability| vHomeLab http://vhomelab.wordpress.com/tag/vcenter-5-1-single-sign-on-high-availability/ 30/115 Installation Completed 5/6/2014 vCenter 5.1 Single Sign On High Availability| vHomeLab http://vhomelab.wordpress.com/tag/vcenter-5-1-single-sign-on-high-availability/ 31/115 Now we need to make changes to server.xml file located at C:\Program Files\VMWare\Infrastructure\SSOServer\Conf Find: <Engine defaultHost=localhost name=Catalina> On Node1 Change it to: <Engine defaultHost=localhost name=Catalina jvmRoute=node1> Where node1 will be DNS name of Node1 i.e., SSOA On Node2 Change it to: <Engine defaultHost=localhost name=Catalina jvmRoute=node2> Where node2 will be DNS name of Node2 i.e., SSOB 5/6/2014 vCenter 5.1 Single Sign On High Availability| vHomeLab http://vhomelab.wordpress.com/tag/vcenter-5-1-single-sign-on-high-availability/ 32/115 Configure Stingray Traffic Manager Virtual Load Balancer We will be using Stingray TM (STM) as our virtual Load Balancer. We need to create a Virtual Server to which other services of vCenter will point to access SSO Service. 1st we will create a certificate for SSO Virtual Server. FQDN of SSO Virtual Server will be ssoha.vhl.com Login to STMLB webpage. Browse to Catalog / SSL and under SSL Server Certificates Catalog select Edit 5/6/2014 vCenter 5.1 Single Sign On High Availability| vHomeLab http://vhomelab.wordpress.com/tag/vcenter-5-1-single-sign-on-high-availability/ 33/115 Select Certificate Signing Request option Enter Appropriate information to generate a request file. 5/6/2014 vCenter 5.1 Single Sign On High Availability| vHomeLab http://vhomelab.wordpress.com/tag/vcenter-5-1-single-sign-on-high-availability/ 34/115 Once request is created, on the same page select Export CSR option 5/6/2014 vCenter 5.1 Single Sign On High Availability| vHomeLab http://vhomelab.wordpress.com/tag/vcenter-5-1-single-sign-on-high-availability/ 35/115 Copy the request data and submit to CA to get a certificate file. 5/6/2014 vCenter 5.1 Single Sign On High Availability| vHomeLab http://vhomelab.wordpress.com/tag/vcenter-5-1-single-sign-on-high-availability/ 36/115 Select Certificate Template as vSphereSSL which we have customized. 5/6/2014 vCenter 5.1 Single Sign On High Availability| vHomeLab http://vhomelab.wordpress.com/tag/vcenter-5-1-single-sign-on-high-availability/ 37/115 Save the certificate file as Base-64 encoded. 5/6/2014 vCenter 5.1 Single Sign On High Availability| vHomeLab http://vhomelab.wordpress.com/tag/vcenter-5-1-single-sign-on-high-availability/ 38/115 Open the saved Certificate in Notepad and copy data. 5/6/2014 vCenter 5.1 Single Sign On High Availability| vHomeLab http://vhomelab.wordpress.com/tag/vcenter-5-1-single-sign-on-high-availability/ 39/115 Now we have got the Certificate for Virtual Server i.e., ssoha.vhl.com 5/6/2014 vCenter 5.1 Single Sign On High Availability| vHomeLab http://vhomelab.wordpress.com/tag/vcenter-5-1-single-sign-on-high-availability/ 40/115 Now, we will add Root CA Certificate and CRL Save Root CA Certificate and CRL from the CA website. Browse to Catalog / SSL under Certificate Authorities and Certificate Revocation catalog select Edit 5/6/2014 vCenter 5.1 Single Sign On High Availability| vHomeLab http://vhomelab.wordpress.com/tag/vcenter-5-1-single-sign-on-high-availability/ 41/115 5/6/2014 vCenter 5.1 Single Sign On High Availability| vHomeLab http://vhomelab.wordpress.com/tag/vcenter-5-1-single-sign-on-high-availability/ 42/115 Browse the RootCA Certificate. 5/6/2014 vCenter 5.1 Single Sign On High Availability| vHomeLab http://vhomelab.wordpress.com/tag/vcenter-5-1-single-sign-on-high-availability/ 43/115 Now add CRL. by selecting Import Certificate or CRL option 5/6/2014 vCenter 5.1 Single Sign On High Availability| vHomeLab http://vhomelab.wordpress.com/tag/vcenter-5-1-single-sign-on-high-availability/ 44/115 Browse the CRL file and Import. 5/6/2014 vCenter 5.1 Single Sign On High Availability| vHomeLab http://vhomelab.wordpress.com/tag/vcenter-5-1-single-sign-on-high-availability/ 45/115 Now we will create a Pool of Nodes. (SSOA and SSOB) Browse to Services / Pools. Enter a Pool Name, and IP address with Port for Node1 SSOA. 5/6/2014 vCenter 5.1 Single Sign On High Availability| vHomeLab http://vhomelab.wordpress.com/tag/vcenter-5-1-single-sign-on-high-availability/ 46/115 Next, add Node2 SSOB and Update the settings. 5/6/2014 vCenter 5.1 Single Sign On High Availability| vHomeLab http://vhomelab.wordpress.com/tag/vcenter-5-1-single-sign-on-high-availability/ 47/115 Scroll down to end of the page and Edit SSL Settings for this SSOHA-Pool 5/6/2014 vCenter 5.1 Single Sign On High Availability| vHomeLab http://vhomelab.wordpress.com/tag/vcenter-5-1-single-sign-on-high-availability/ 48/115 Select Yes for SSL_Encrypt option. 5/6/2014 vCenter 5.1 Single Sign On High Availability| vHomeLab http://vhomelab.wordpress.com/tag/vcenter-5-1-single-sign-on-high-availability/ 49/115 Now, we will create a Virtual Server for SSOHA-Pool 5/6/2014 vCenter 5.1 Single Sign On High Availability| vHomeLab http://vhomelab.wordpress.com/tag/vcenter-5-1-single-sign-on-high-availability/ 50/115 This has created a Virtual Server. we will give an IP address to SSOHA Virtual Server by creating a Traffic IP Group. Click on Traffic IP Groups to define a group. 5/6/2014 vCenter 5.1 Single Sign On High Availability| vHomeLab http://vhomelab.wordpress.com/tag/vcenter-5-1-single-sign-on-high-availability/ 51/115 Enter a Name and IP address. Add this IP address in DNS server for ssoha.vhl.com 5/6/2014 vCenter 5.1 Single Sign On High Availability| vHomeLab http://vhomelab.wordpress.com/tag/vcenter-5-1-single-sign-on-high-availability/ 52/115 Run SSL Decrypt Setup Wizard 5/6/2014 vCenter 5.1 Single Sign On High Availability| vHomeLab http://vhomelab.wordpress.com/tag/vcenter-5-1-single-sign-on-high-availability/ 53/115 5/6/2014 vCenter 5.1 Single Sign On High Availability| vHomeLab http://vhomelab.wordpress.com/tag/vcenter-5-1-single-sign-on-high-availability/ 54/115 5/6/2014 vCenter 5.1 Single Sign On High Availability| vHomeLab http://vhomelab.wordpress.com/tag/vcenter-5-1-single-sign-on-high-availability/ 55/115 Now, lets create Rules. browse Catalog / Rules We want traffic to flow to proper nodes, for that we will create Mapping Rules. We have Conditions and Actions tab on right. Select options from these tab to create Rules. E.g., Condition: URL Path Contains /groupcheck 5/6/2014 vCenter 5.1 Single Sign On High Availability| vHomeLab http://vhomelab.wordpress.com/tag/vcenter-5-1-single-sign-on-high-availability/ 56/115 Actions: Set URL Path /sso-adminserver In similar way create these rules. RuleName > URL Path > Set URL Path GroupCheck > /groupcheck > /sso-adminserver ims > /ims > /ims/STSService Lookup > /lookupService > /lookupService SSO-AdminServer > /sso-adminserver > /sso-adminserver/sdk (SSOA Pool) NOTE: For sso-adminserver we need to select a pool as well, so create a pool which 5/6/2014 vCenter 5.1 Single Sign On High Availability| vHomeLab http://vhomelab.wordpress.com/tag/vcenter-5-1-single-sign-on-high-availability/ 57/115 contains just a single node i.e., Node1 SSOA server IP address. (Pool can be created the same way as we created for Node1 and Node2) Now apply these rules to Virtual Server. Browse to Services / Virtual Server / SSOHA / Rules and add the rules from drop down. 5/6/2014 vCenter 5.1 Single Sign On High Availability| vHomeLab http://vhomelab.wordpress.com/tag/vcenter-5-1-single-sign-on-high-availability/ 58/115 On Home tab, click Play button to start SSOHA Virtual Server. 5/6/2014 vCenter 5.1 Single Sign On High Availability| vHomeLab http://vhomelab.wordpress.com/tag/vcenter-5-1-single-sign-on-high-availability/ 59/115 At this point we have configured Virtual LB. Creating SSL Certificate and necessary associated files IMPORTANT: Install OpenSSL 32bit on SSOA server on C Drive. (default installation) We will be using a Batch script to automate creation of OpenSSL Config (.cfg), Certificate request (rui.csr), Private Key (rui.key), Base-64 Encoded Certificate (rui.crt), PFX file (rui.pfx), root-trust.jks and server-identity.jks. I am assuming that you have Enterprise Root CA in your Active Directory Domain Environment. If you have CA in a different domain, please feel free to edit the script and comment the process of creating Certificate automatically. (I will update the script to prompt for confirmation later). Browse to CA webpage. Download CA Certificate, Certificate Chain. 5/6/2014 vCenter 5.1 Single Sign On High Availability| vHomeLab http://vhomelab.wordpress.com/tag/vcenter-5-1-single-sign-on-high-availability/ 60/115 Select Base-64 and Download CA Certificate Chain. 5/6/2014 vCenter 5.1 Single Sign On High Availability| vHomeLab http://vhomelab.wordpress.com/tag/vcenter-5-1-single-sign-on-high-availability/ 61/115 Save the file as CAChain at folder location C:\Certs 5/6/2014 vCenter 5.1 Single Sign On High Availability| vHomeLab http://vhomelab.wordpress.com/tag/vcenter-5-1-single-sign-on-high-availability/ 62/115 Open CAChain and browse to Certificates, Located the certificate in right-pane and Export. 5/6/2014 vCenter 5.1 Single Sign On High Availability| vHomeLab http://vhomelab.wordpress.com/tag/vcenter-5-1-single-sign-on-high-availability/ 63/115 Export in Base-64 Encoded x.509 format. 5/6/2014 vCenter 5.1 Single Sign On High Availability| vHomeLab http://vhomelab.wordpress.com/tag/vcenter-5-1-single-sign-on-high-availability/ 64/115 Save it file at location C:\Certs and name it as Root64.cer 5/6/2014 vCenter 5.1 Single Sign On High Availability| vHomeLab http://vhomelab.wordpress.com/tag/vcenter-5-1-single-sign-on-high-availability/ 65/115 Now, we will run the CreateSSLFiles.bat file to generate necessary files. The script will generate Config file based on the inputs you provide. Config file will be used by OpenSSL to generate a certificate request file (.cer) Certificate request file (.cer) is used to provide data to CA to give us a SSL Certificate. Select a Service for which you want to generate SSL. 5/6/2014 vCenter 5.1 Single Sign On High Availability| vHomeLab http://vhomelab.wordpress.com/tag/vcenter-5-1-single-sign-on-high-availability/ 66/115 Enter appropriate data. Make sure you enter data correctly, any wrong data will lead to a wrong SSL and you will have to re-run/re- create SSL. 5/6/2014 vCenter 5.1 Single Sign On High Availability| vHomeLab http://vhomelab.wordpress.com/tag/vcenter-5-1-single-sign-on-high-availability/ 67/115 After you enter the data, verify that it is correct and select the appropriate option to continue. 5/6/2014 vCenter 5.1 Single Sign On High Availability| vHomeLab http://vhomelab.wordpress.com/tag/vcenter-5-1-single-sign-on-high-availability/ 68/115 When you are prompted to create JKS files and if you select 1. (Yes) You will be again prompted by the creation process whether you trust the RootCA. Type YES. JKS files are jave keystore files which is used to update SSO service. It is important to have Root64.cer file in C:\Certs location. 5/6/2014 vCenter 5.1 Single Sign On High Availability| vHomeLab http://vhomelab.wordpress.com/tag/vcenter-5-1-single-sign-on-high-availability/ 69/115 Once Completed, check the location C:\Certs\SingleSignOn\ Make sure rui.crt, rui.key, rui.pfx, root-trust.jks and server-identity.jks files are present. Confirm the certificate by opening rui.crt file and see the entries reflecting are according to your requirements. 5/6/2014 vCenter 5.1 Single Sign On High Availability| vHomeLab http://vhomelab.wordpress.com/tag/vcenter-5-1-single-sign-on-high-availability/ 70/115 Updating SSO SSL/keystore on Node1 and Node2(SSOA and SSOB) We will start by copying files generated in previous step to proper locations. Create a folder SingleSignOn/SSL under C:\ProgramData\VMWare Copy root-trust.jks, server-identity.jks, rui.key, rui.crt, rui.pfx to this new directory C:\ProgramData\VMWare\SingleSignOn\SSL Copy Root64.cer from C:\Certs folder to this new directory. Create following files under C:\Certs 5/6/2014 vCenter 5.1 Single Sign On High Availability| vHomeLab http://vhomelab.wordpress.com/tag/vcenter-5-1-single-sign-on-high-availability/ 71/115 NOTE: there is NO file extension to these files. (.txt) sts.properties gc.properties admin.properties sts_id gc_id admin_id .properties file will contain the properties of SSO service endpoints and _id files will hold pointer to these endpoints. Make sure, in .properties files you have proper URL to Virtual Server i.e., https://ssoha.chl.com:7444 and also the location of Root64.cer should be set to C:\ProgramData\VMWare\SingleSignOn\SSL\Root64.cer STS.properties file. 5/6/2014 vCenter 5.1 Single Sign On High Availability| vHomeLab http://vhomelab.wordpress.com/tag/vcenter-5-1-single-sign-on-high-availability/ 72/115 gc.properties file. admin.properties file. 5/6/2014 vCenter 5.1 Single Sign On High Availability| vHomeLab http://vhomelab.wordpress.com/tag/vcenter-5-1-single-sign-on-high-availability/ 73/115 To get Service ID we need to run following commands in prompt. Set JAVA_HOME=C:\Program Files\VMWare\Infrastructure\jre CD C:\Program Files\VMWare\Infrastructure\SSOServer\ssolscli ssolscli listServices https://ssoa.vhl.com:7444/lookupservice/sdk NOTE: JAVA_HOME path should be without Quotes listServices is case sensitive. 5/6/2014 vCenter 5.1 Single Sign On High Availability| vHomeLab http://vhomelab.wordpress.com/tag/vcenter-5-1-single-sign-on-high-availability/ 74/115 You will get list of service endpoints and their details. Refer to type=urn : sts to identity the endpoint and copy the ServiceID to nodepad and save them as _id 5/6/2014 vCenter 5.1 Single Sign On High Availability| vHomeLab http://vhomelab.wordpress.com/tag/vcenter-5-1-single-sign-on-high-availability/ 75/115 To update SSO service endpoints, use following command. NOTE: to run this command JAVA_HOME should be set. updateService is case sensitive. ssolscli updateService d https://ssoa.vhl.com:7444/lookupservice/sdk u admin@System-Domain p Password_U_set-B4 si c:\Certs\sts_id -ip c:\Certs\sts.properties 5/6/2014 vCenter 5.1 Single Sign On High Availability| vHomeLab http://vhomelab.wordpress.com/tag/vcenter-5-1-single-sign-on-high-availability/ 76/115 While updating gc endpoint I got error ServiceNotResponding 2 as you can see, the error was coming up when it was trying to connect to STSService endpoint using URL https://ssoha.vhl.com Instantly DNS came to my mind, as I forgot to create Host( A) record for ssoha. Once created, Flush the DNS using ipconfig /flushdns and run the command again. 5/6/2014 vCenter 5.1 Single Sign On High Availability| vHomeLab http://vhomelab.wordpress.com/tag/vcenter-5-1-single-sign-on-high-availability/ 77/115 To check, Run ssolscli listServices https://ssoha.vhl.com:7444/lookupservice/sdk 5/6/2014 vCenter 5.1 Single Sign On High Availability| vHomeLab http://vhomelab.wordpress.com/tag/vcenter-5-1-single-sign-on-high-availability/ 78/115 Now let us update SSO SSL/Keystore. Stop Single Sign On Service. Go to C:\Program Files\VMWare\Infrastructure\SSOServer\Security directory, backup root-trust.jks and server-identity.jks file. Copy New root-trust.jks and server-identity.jks from C:\Certs\SingleSignOn to \SSOServer\Security 5/6/2014 vCenter 5.1 Single Sign On High Availability| vHomeLab http://vhomelab.wordpress.com/tag/vcenter-5-1-single-sign-on-high-availability/ 79/115 Open command prompt and set directory to C:\Program Files\VMware\Infrastructure\SSOServer\utils Run ssocli configure-riat a configure-ssl keystore-file c:\ProgramData\VMware\SingleSignOn\SSL\root-trust.jks keystore-password testpassword 5/6/2014 vCenter 5.1 Single Sign On High Availability| vHomeLab http://vhomelab.wordpress.com/tag/vcenter-5-1-single-sign-on-high-availability/ 80/115 Start Single Sign On Service Open a browser and go to URL https://ssoa.vhl.com:7444/lookupservice/sdk check the certificate in browser. 5/6/2014 vCenter 5.1 Single Sign On High Availability| vHomeLab http://vhomelab.wordpress.com/tag/vcenter-5-1-single-sign-on-high-availability/ 81/115 Update SSO Service Keystore the same way as we did for SSOA. - Generate SSL certificate - Create rui.PFX - Create root-trust.jks and server-identity.jks (Files will be created by batch script) - Place all files including root64.cer in C:\Programdata\VMware\SingleSignOn\SSL - Stop Single Sign On Service - Run SSOcli command - Start Single Sign On Service. - Check the certificate in browser. 5/6/2014 vCenter 5.1 Single Sign On High Availability| vHomeLab http://vhomelab.wordpress.com/tag/vcenter-5-1-single-sign-on-high-availability/ 82/115 Creating SSL Certificate and Installing vCenter Inventory Service We will start this section by creating SSL Certificates. Install OpenSSL-Win32, Create a folder Certs on C:\ and copy Root64.cer to this location. Run CreateSSLFiles.bat file from command prompt. As .JKS files are not required for Inventory service, the script will not generate them. 5/6/2014 vCenter 5.1 Single Sign On High Availability| vHomeLab http://vhomelab.wordpress.com/tag/vcenter-5-1-single-sign-on-high-availability/ 83/115 All necessary files will be created. 5/6/2014 vCenter 5.1 Single Sign On High Availability| vHomeLab http://vhomelab.wordpress.com/tag/vcenter-5-1-single-sign-on-high-availability/ 84/115 Copy rui.crt, rui.key, rui.pfx to c:\ProgramData\VMWare\Infrastructure\Inventory Service\ssl NOTE: The directory structure will be present, create all necessary directories. 5/6/2014 vCenter 5.1 Single Sign On High Availability| vHomeLab http://vhomelab.wordpress.com/tag/vcenter-5-1-single-sign-on-high-availability/ 85/115 Now let us start installation of Inventory Service. 5/6/2014 vCenter 5.1 Single Sign On High Availability| vHomeLab http://vhomelab.wordpress.com/tag/vcenter-5-1-single-sign-on-high-availability/ 86/115 When prompted for Lookup Service URL enter Virtual Server URL https://ssoha.vhl.com:7444/lookupservice/sdk 5/6/2014 vCenter 5.1 Single Sign On High Availability| vHomeLab http://vhomelab.wordpress.com/tag/vcenter-5-1-single-sign-on-high-availability/ 87/115 You can check the logs on LB to see if the communication is going as expected. You will have to enable logging under System / Global Settings 5/6/2014 vCenter 5.1 Single Sign On High Availability| vHomeLab http://vhomelab.wordpress.com/tag/vcenter-5-1-single-sign-on-high-availability/ 88/115 Installation is complete. 5/6/2014 vCenter 5.1 Single Sign On High Availability| vHomeLab http://vhomelab.wordpress.com/tag/vcenter-5-1-single-sign-on-high-availability/ 89/115 Check if Certificate has installed properly. Go to browser and browse https://vcinv.vhl.com:10443 5/6/2014 vCenter 5.1 Single Sign On High Availability| vHomeLab http://vhomelab.wordpress.com/tag/vcenter-5-1-single-sign-on-high-availability/ 90/115 Creating SSL Certificate and Installing vCenter Server Start the process by installing OpenSSL-Win32 Create Certs folder on C:\ and copy Root64.cer file to it. 5/6/2014 vCenter 5.1 Single Sign On High Availability| vHomeLab http://vhomelab.wordpress.com/tag/vcenter-5-1-single-sign-on-high-availability/ 91/115 Run the script CreateSSLFiles.bat The files will be saved in C:\Certs\vCenter folder. Copy rui.crt, rui.pfx and rui.key to C:\ProgramData\Vmware\VMware VirtualCenter\ssl Copy Root64.cer file as well. Prepare SQL Database for vCenter Prepare MSSQL Database by running the script provided in installation media. Customize the script to change the username and password, also set the location of database. Make sure you create the database directory 1st then run the script. 5/6/2014 vCenter 5.1 Single Sign On High Availability| vHomeLab http://vhomelab.wordpress.com/tag/vcenter-5-1-single-sign-on-high-availability/ 92/115 Create an ODBC System DNS connection to the Database that is created. vCenter uses SQL Server native Client make sure you download and install it 1st. 5/6/2014 vCenter 5.1 Single Sign On High Availability| vHomeLab http://vhomelab.wordpress.com/tag/vcenter-5-1-single-sign-on-high-availability/ 93/115 Start the vCenter Server Installation. 5/6/2014 vCenter 5.1 Single Sign On High Availability| vHomeLab http://vhomelab.wordpress.com/tag/vcenter-5-1-single-sign-on-high-availability/ 94/115 Select the ODBC connection that we created. 5/6/2014 vCenter 5.1 Single Sign On High Availability| vHomeLab http://vhomelab.wordpress.com/tag/vcenter-5-1-single-sign-on-high-availability/ 95/115 Enter the username and password for ODBC connection. 5/6/2014 vCenter 5.1 Single Sign On High Availability| vHomeLab http://vhomelab.wordpress.com/tag/vcenter-5-1-single-sign-on-high-availability/ 96/115 We are installing 1st vCenter server so we will select to create a standalone server instance. 5/6/2014 vCenter 5.1 Single Sign On High Availability| vHomeLab http://vhomelab.wordpress.com/tag/vcenter-5-1-single-sign-on-high-availability/ 97/115 Enter the Virtual Server URL when asked for Lookup service URL. 5/6/2014 vCenter 5.1 Single Sign On High Availability| vHomeLab http://vhomelab.wordpress.com/tag/vcenter-5-1-single-sign-on-high-availability/ 98/115 Enter the user account which will be assigned administrator permissions to access vCenter instance. You can also add a group (groupname@domain.com) and select the option The administrator is a user group 5/6/2014 vCenter 5.1 Single Sign On High Availability| vHomeLab http://vhomelab.wordpress.com/tag/vcenter-5-1-single-sign-on-high-availability/ 99/115 Enter the URL for Inventory Service i.e., https://vcinv.vhl.com:10443 5/6/2014 vCenter 5.1 Single Sign On High Availability| vHomeLab http://vhomelab.wordpress.com/tag/vcenter-5-1-single-sign-on-high-availability/ 100/115 Check the logs of LB to see communication is happening as expected. 5/6/2014 vCenter 5.1 Single Sign On High Availability| vHomeLab http://vhomelab.wordpress.com/tag/vcenter-5-1-single-sign-on-high-availability/ 101/115 Once the installation is complete you can check the status of SSL certificate by browsing to https://vcenter.vhl.com:8443 5/6/2014 vCenter 5.1 Single Sign On High Availability| vHomeLab http://vhomelab.wordpress.com/tag/vcenter-5-1-single-sign-on-high-availability/ 102/115 This completes the installation of vCenter Server. Creating SSL Certificate and Installing vCenter Web Client Start the process by installing OpenSSL-Win32 Create Certs folder on C:\ and copy Root64.cer file to it. 5/6/2014 vCenter 5.1 Single Sign On High Availability| vHomeLab http://vhomelab.wordpress.com/tag/vcenter-5-1-single-sign-on-high-availability/ 103/115 Run the script CreateSSLFiles.bat The files will be saved in C:\Certs\WebClient folder. Copy rui.crt, rui.pfx and rui.key to C:\ProgramData\Vmware\vSphere Web Client\ssl Copy Root64.cer file as well. Start the installation. 5/6/2014 vCenter 5.1 Single Sign On High Availability| vHomeLab http://vhomelab.wordpress.com/tag/vcenter-5-1-single-sign-on-high-availability/ 104/115 5/6/2014 vCenter 5.1 Single Sign On High Availability| vHomeLab http://vhomelab.wordpress.com/tag/vcenter-5-1-single-sign-on-high-availability/ 105/115 5/6/2014 vCenter 5.1 Single Sign On High Availability| vHomeLab http://vhomelab.wordpress.com/tag/vcenter-5-1-single-sign-on-high-availability/ 106/115 Once the installation complete, browse https://wca.vhl.com:9443 5/6/2014 vCenter 5.1 Single Sign On High Availability| vHomeLab http://vhomelab.wordpress.com/tag/vcenter-5-1-single-sign-on-high-availability/ 107/115 5/6/2014 vCenter 5.1 Single Sign On High Availability| vHomeLab http://vhomelab.wordpress.com/tag/vcenter-5-1-single-sign-on-high-availability/ 108/115 Testing Single Sign On fail-over To test what will happen in case of Primary node Node1 (SSOA) goes down, I have disabled to network on SSOA server. 5/6/2014 vCenter 5.1 Single Sign On High Availability| vHomeLab http://vhomelab.wordpress.com/tag/vcenter-5-1-single-sign-on-high-availability/ 109/115 Load Balancer is showing all RED 5/6/2014 vCenter 5.1 Single Sign On High Availability| vHomeLab http://vhomelab.wordpress.com/tag/vcenter-5-1-single-sign-on-high-availability/ 110/115 Lets try to login. and the login goes through. 5/6/2014 vCenter 5.1 Single Sign On High Availability| vHomeLab http://vhomelab.wordpress.com/tag/vcenter-5-1-single-sign-on-high-availability/ 111/115 5/6/2014 vCenter 5.1 Single Sign On High Availability| vHomeLab http://vhomelab.wordpress.com/tag/vcenter-5-1-single-sign-on-high-availability/ 112/115 5/6/2014 vCenter 5.1 Single Sign On High Availability| vHomeLab http://vhomelab.wordpress.com/tag/vcenter-5-1-single-sign-on-high-availability/ 113/115 Lets check the logs. request for SSOA /sso-adminserver is not going through. This is coz the admin service is available only on primary node. 5/6/2014 vCenter 5.1 Single Sign On High Availability| vHomeLab http://vhomelab.wordpress.com/tag/vcenter-5-1-single-sign-on-high-availability/ 114/115 Let us try to login using Admin@system-Domain account. So you are not able to manage SSO, and again thats coz Admin service is located on Primary Node. 5/6/2014 vCenter 5.1 Single Sign On High Availability| vHomeLab http://vhomelab.wordpress.com/tag/vcenter-5-1-single-sign-on-high-availability/ 115/115 Blog at WordPress.com. | The Able Theme. I will update the article with more useful information if any after performing some more tests. Posted in vmware, vSphere | Tagged vCenter 5.1 Single Sign On High Availability, vCenter 5.1 SSO HA, vCenter Single Sign On using Load Balancer | 4 Comments Exchange 2010 PowerShell Active Directory PowerCLI vSphere