UPDATE 2/17/2013: Added Part 15, replacing ESXi host SSL certificate. I also updated the Microsoft CA template creation instructions found here.
UPDATE 2/15/2013: Updated SQL service pack/patch level information, that may address SQL SSL problems that users are still reporting. Basically you need SQL 2008 R2 SP1 CU6 or later. I've updated the post below as well. You can find the MS KB here.
UPDATE 1/30/2013: Updated the JDBC instructions with a possible workaround for SSO/Inventory service install problems when trying to use SQL SSL. Double back-slash the path!
UPDATE 1/29/2013: I've now completed the refresh on all 15 blog posts. I was able to finally build a vCenter 5.1.0b system without undocumented script hacking or running into bizarre errors. Hopefully the revised blogs can help out others with a smoother, if not quicker, install. It's still way harder than it should be, though.
UPDATE 1/27/2013: Now that I'm back from vacation, I'm going to revise the vCenter 5.1 install series to cover 5.1.0b, plus reader feedback, and updates to VMware KB articles. I will also do a little clean up as well, to hopefully make things even easier for people.
UPDATE 12/20/2012: VMware has released vCenter 5.1.0b, which addresses yet more installation bugs. I would advise skipping 5.1.0a, and go straight to 5.1.0b. You can find the 5.1.0b release notes here. I currently do not have time to update all the posts with 5.1.0b information.
UPDATE 10/25/12: VMware has released vCenter 5.1.0A, which addresses many major installation bugs/issues. You can find out more details by reading my article here. I would strongly urge you to use 5.1.0A, and NOT the GA release. You may save yourself some major headaches. I'm in the process of updating each blog post as appropriate to reflect any changes needed for the 5.1.0A release.
---
This is the first post in a series of blog articles about configuring vSphere 5.1.0b. Links to the other parts are below:
VMware vCenter 5.1 Installation: Part 2 (Create vCenter SSL Certificate)
VMware vCenter 5.1 Installation: Part 3 (Install SSO Service SSL Certificate)
VMware vCenter 5.1 Installation: Part 4 (Install Inventory Service)
VMware vCenter 5.1 Installation: Part 5 (Install Inventory Service SSL Certificate)
VMware vCenter 5.1 Installation: Part 6 (Create vCenter and VUM Databases)
VMware vCenter 5.1 Installation: Part 7 (Install vCenter Server)
VMware vCenter 5.1 Installation: Part 8 (Install Web Client)
VMware vCenter 5.1 Installation: Part 9 (Optional SSO Configuration)
VMware vCenter 5.1 Installation: Part 10 (Create VUM DSN)
VMware vCenter 5.1 Installation: Part 11 (Install VUM)
VMware vCenter 5.1 Installation: Part 12 (VUM SSL Configuration)
VMware vCenter 5.1 Installation: Part 13 (VUM Configuration)
VMware vCenter 5.1 Installation: Part 14 (Web Client and Log Browser SSL)
VMware vCenter 5.1 Installation: Part 15 (ESXi Host SSL Certificate)
Related Posts:
VMware vCenter 5.1 Installation: SSL Certificate Pre-Staging Script
Create VMware Microsoft CA certificate template
VMware vSphere 5.1.0b was released on December 20th 2012, while the 5.1 GA version was released in mid-September. Given all of the new components and architecture of vCenter, I wanted to walk through the entire configuration process from scratch assuming a greenfield environment. The original 5.1 release had a lot of, shall we say, bugs and issues related to the SSO service and SSL problems.
In addition, due to various configuration issues and bugs, save yourself headaches and install all the vCenter 5.1 services (except VUM for medium/large environments) on the same VM. Hopefully in vSphere 6.0 VMware will fix the plethora of SSO and SSL issues to be more friendly to distributing the services among two or more servers.
This series covers:
- vCenter 5.1.0b Installation on Windows Server 2008 R2
- SSO service, Inventory Service, vCenter Server, vSphere client, vSphere Web client, and VUM
- Configure SSL certificates for all vSphere 5.1 services
- Configuring SSL encrypted connection to the SQL 2008 R2 server
On another security note the SQL server MUST be configured to allow both Windows integrated authentication AND SQL authentication. SQL authentication is very weak, which makes the use of SSL for the database connection that much more imperative. Should the SQL server only allow Windows integrated authentication you will likely get the following error:
Error 29115.Cannot authenticate to DB.
Use SQL studio to login to your SQL server, open the server properties then use the less secure option of SQL Server and Windows Authentication mode. Restart the SQL services.
These instructions reflect using vSphere 5.1.0b, which has a different database setup than the 5.1 GA release. Do not use the 5.1 GA version, as it was in no way ready for production usage.
Provision vCenter VM
1. Provision one or more VMs for the vCenter 5.1 install. In this blog series I'm assuming an all-in-one server to make things easier. You can certainly split up the services, which would be recommended in medium to large environments.
I provisioned a Windows Server 2008 R2 SP1 VM, with 2 HDs, and all of the latest Windows updates. 6GB of RAM and even 8GB of RAM for an all-in-one server is recommended, otherwise vCenter and SSO will run verrrrrrrry slowly. The 5.1 release has a high memory utilization.
2. Create a domain-based service account (e.g. SVC-VCTR02-001) which the vCenter services will use. Add that account to the local Administrator's group on what will become the vCenter 5.1 server.
You need to ensure the service account also has the "Act as part of the operating system" user right on the vCenter server. If the Administrators group has the right then you are covered. If not, explicitly add the service account to the user right as shown below. Should you need to add the account, reboot the server after so that it takes effect.
3. Open the Server Manager and add the .NET Framework 3.5.1 feature and wait for the install to complete.
Configure SQL Database
1. The SSO service requires a database, as do other vCenter services. In this example we are using SQL Server 2008 R2. SQL Server 2012 is NOT officially supported. There are some hard coded restrictions in the SSO service which limit your ability to use customized names for all of the fields. In particular the DB name must only include letters, numbers, underscore (_), the at symbol (@) and the hash (#). No periods and no spaces. As of the 5.1.0b release, hyphens are now allowed though. As a reader has pointed out, you should be using SQL Server 2008 R2 SP1 and CU6 or later, which addresses a JDBC SSL issue. You can read the MS KB here. Personally I used SQL 2008 R2 SP2.
I created a custom database creation script (see below), based on the canned VMware script mentioned in the wizard above. In my case I called the database "D001_VMware_SSO". Run this script in SQL studio, modified to your liking. Note that you CAN NOT change "RSA_DATA" or "RSA_INDEX" as the SSO service is hard coded to use them and the install WILL fail if they are not present.
Note that SQL dynamic ports are NOT supported. Make sure your SQL server won't change the port it's listening on, as that will break the SSO service. I've also seen reports of successful installations with SQL clusters, as long as SQL server is listening on a static port. I personally haven't tried a clustered SQL instance. Users have reported that specifying a SQL instance in the JDBC string may not work for all vCenter products, even if the SSO service will initially install fine.
----
USE MASTER
GO
CREATE DATABASE D001_VMware_SSO ON PRIMARY(
NAME='RSA_DATA',
FILENAME='K:\Microsoft SQL Server\MSSQL\Data\D001_VMware_SSO_Data.mdf',
SIZE=10MB,
MAXSIZE=UNLIMITED,
FILEGROWTH=10%),
FILEGROUP RSA_INDEX(
NAME='RSA_INDEX',
FILENAME='K:\Microsoft SQL Server\MSSQL\Data\D001_VMware_SSO_Index.mdf',
SIZE=10MB,
MAXSIZE=UNLIMITED,
FILEGROWTH=10%)
LOG ON(
NAME='translog',
FILENAME='L:\Microsoft SQL Server\MSSQL\Data\Logs\D001_VMware_SSO_Log.ldf',
SIZE=10MB,
MAXSIZE=UNLIMITED,
FILEGROWTH=10% )
GO
EXEC SP_DBOPTION 'D001_VMware_SSO', 'trunc. log on chkpt.', true
GO
CHECKPOINT
GO
-----
Create a new SQL user using SQL Server authentication, such as SSO_User, and modify the password options as needed. I would suggest not expiring the password, and certainly can't select the option to change at next login. The password must be 32 characters or less, and cannot contain semicolon (;), double quotation mark ("), single quotation mark ('), circumflex (^), and backslash (\).
3. Repeat the user creation process for a second user, SSO_DBA.
4. In SQL Studio for your SSO database you now need to add your two newly created users so they have proper permissions in the database. Open the Users node under your SSO database and select New User. For the SSO_DBA user I granted it db_owner permissions for both the schemas and database. For the SSO_User I only granted db_owner for the database.
Properly configuring a trusted SQL SSL connection requires that we first start the SSO Installation so that the proper Java keystore binaries are present on the system for us to create a trusted keystore with.
SSO Installation
1. Login as the newly created vCenter service account and launch the vSphere installer from the ISO image and you are presented with the following screen.
At this point VMware gives you the option of a "Simple Install" or install each component separately. Since we want to replace SSL certificates in an orderly fashion and in the easiest possible manner, do NOT select Simple Install. We want to deliberately install each service and perform configuration steps along the way.
2. Click on vCenter Single Sign On, then click on Install. Select the appropriate language and wait for the wizard to open. After clicking through the licensing agreements and carefully reading all of the patents, you are presented with a screen with several options.
VMware gives you the option to install multiple instances of the SSO service for high availability. So on the screen below you have the option of creating a new primary node instance, or join an existing SSO instance. Since this is a new deployment, we want to create a primary node.
Even if you don't want multiple SSO instances now, you may want them in the future. You don't need to configure additional ones from the outset, so there's no harm in leaving the door open for future expansion. Thus I selected the second option, as shown below. .
The password must have at least eight characters, at least one lowercase character, one uppercase character, one number, and one special character. Maximum password length is 32 characters. Passwords longer than 32 characters will be truncated and cause authentication problems.
Note: Do NOT use the following characters, or trailing spaces:
^ (circumflex)
* (asterisk)
$ (dollar)
; (semicolon)
" (double quote)
' (single quote)
) (right parenthesis)
< (less than)
> (greater than)
& (ampersand)
| (pipe)
\ (backslash)
These may cause a "Error 29133.Administrator login error." further on in the installation process. VMware has a KB article regarding these special characters here.
4. At this point you are presented with a dialog asking what kind of database you want to use. I would never use SQL Express in a lab or production environment, so select the second option.
If you are concerned about security and want to use an SSL connection to the SQL server you have two implementation options. Both options assume your SQL server is configured for SSL encryption. I wrote a blog article here that you can check out for enabling SQL SSL.
The first, but less secure and easier option, is to amend the JDBC connection string and ignoring any trust issues with the SQL SSL certificate. Not ideal since the secure channel could easily be compromised by a man-in-the-middle attack, but probably better than clear text communications to the SQL server.
The second option requires the configuration of a Java keystore with the public key of your SQL SSL root CA so the JDBC driver can validate the certificate. This is much more secure and the preferred option, but requires more work.
Option 1 (less secure): Force trusting the SQL SSL certificate:
On the vCenter Single Sign On screen above, click on Next, then click on Back. You should now see the JDBC URL populated but greyed out. Check the box next to "I will enter the JDBC URL myself". At the end of the connection string add the following two options:
;encrypt=true;trustservercertificate=true
For example, my JDBC URL is (single line):
jdbc:sqlserver://;serverName=D001SQL01.contoso.net;port=1433;
databaseName=D001_VMware_SSO;encrypt=true;trustservercertificate=true
A. Further in SSL replacement process we will also need the public root certificate(s) file in Base-64 encoded format.
A. From the vCenter server go to the Microsoft CA home page that was used to create the SQL server certificate and click on Download a CA certificate, certificate chain or CRL. Change the encoding method to DER and click Download CA certificate chain. Change the file name to cachain.p7b.
B. Double click on the downloaded certificate file, then locate the certificate in the console. Right click on the certificate and select All Tasks -> Export. Select DER encoded and save the certificate with a filename of Root.cer.
C. Open an elevated command prompt then change directory to where the SSO installer files extracted themselves and find the jre\bin directory. In my case this was:
C:\Users\SVC-VCTR02-001\AppData\Local\Temp\{DEC4C346-414B-4814-9BF3-CAC14154B55A}\jre\bin
D. Create a Java keystore by issuing the following command (using the path of your SSO service account). Enter a keystore password (write it down). When prompted to trust the certificate type Yes.
keytool -import -alias root -file c:\root.cer -keystore c:\users\SVC-VCTR02-001\keystore.jks
Update: If you get any errors, you may need to double back-slash the trust store path (e.g. C:\\Users\\SVC-VCTR02-001\\keystore.jks).
Add these connection options:
;encrypt=true;truststore=C:\Users\SVC-VCTR02-001\keystore.jks;truststorepassword=testpassword
Full connection string example:
jdbc:sqlserver://;serverName=D001SQL01.contoso.net;port=1433; databaseName=D001_VMware_SSO;integratedSecurity=true; encrypt=true;truststore=C:\Users\SVC-VCTR02-001\keystore.jks;truststorepassword=testpassword
6. With your database details now properly configured, and maybe even using SSL to your SQL server, we can proceed with the SSO installer. If you were using a hardware load balancer, you would enter the FQDN of the VIP. Since I'm just installing one SSO instance, I'll stick with the FQDN of the vCenter server.
7. At this point input the vCenter service account details. Note that if you input the wrong password you will get an error "Could not find the specified user on provided domain." which is not entirely correct. The user exists but you just fat fingered the password.
8. For the installation path I left the default, as the installer has had problems in the path with custom paths or "unusual" characters in the path.
9. On the next screen I left the HTTPS port the default, then sent the installer off on its merry way.
At this point the vCenter Single Sign On service should have successfully installed. If you have more SSO installation problems than I've covered here, check out their 5.1.0b release notes for a laundry list of gotchas for the SSO installer. Next up is creating all of the SSL certificates that the vCenter services require. You can check out Part 2 here.
At this point the vCenter Single Sign On service should have successfully installed. If you have more SSO installation problems than I've covered here, check out their 5.1.0b release notes for a laundry list of gotchas for the SSO installer. Next up is creating all of the SSL certificates that the vCenter services require. You can check out Part 2 here.
In the vmware script for the SQL DB, if you look at it, it has "FILEGROUP RSA_INDEX(
ReplyDeleteNAME='RSA_INDEX',
FILENAME='blah.ndf'" yet you have changed it to .MDF - Is that a typo on vmwares part?
Anonymous, yes I think that is a typo. The database/log filenames are transparent to the SSO service. The file group names (RSA_) are the hard requirement.
ReplyDeleteDo you know if SSO with Vsphere5.1 support SQL 2008 SP1?
ReplyDeleteIt's not clearly said in the software requierment. I'm looking to upgrade my SQL to 2008 R2 since I readed that Vcenter 5.1 does not support SQL 2008 SP1.
I am running Vsphere 5.1 Host Agent Pre-Upgrade Cheker, and once I click " RUN PRECHECK " all of my host (around 20) got the "Connection Error" All hosts (ESX 4.0 U1) are well connected to my VC 4.0
Thanks for the info I have found through repeated installs that the SSO admin password has particular special characters that cause the install to fail after a dozen attempts I found one that works.
ReplyDeleteMax, Unfortunately the vCenter 5.1 interop matrix hasn't been populated, so I can't tell which DBs are formally supported. You can find the tool at:
ReplyDeletehttp://partnerweb.vmware.com/comp_guide2/sim/interop_matrix.php?
Thanks for posting the manual SSO DB creation script - May I link your post it on my blog http://vmadmin.info ?
ReplyDeletethanks
I have one small nit to pick with the script; it is a really bad idea to turn on autoshrink. It is explicitly against best practice to turn it on.
DeleteSome reasons why: http://www.sqlskills.com/blogs/paul/auto-shrink-turn-it-off/ This guy wrote parts of SQL Server and his advice is well worth listening to. "Friends don't let friends use autoshrink" Spread far and wide :)
@Anonymous: Point taken. I removed the shrink parameter from the script. Thanks!
DeletevExpert2012: Yes Please feel free to link to my blog post, just make sure to attribute the post to me.
ReplyDeleteGreat guide man!
ReplyDeleteI would just like to add that it appears SSO requires a NON-CLUSTERED database backend. Can you check that Derek?
ReplyDeleteI am unable to successfully point it to my active/active/active SQL cluster.
e.g. SERVER001SQL\TEST is the full instance name which can run on any of the three nodes (SQL01.fqdn, SQL02, or SQL03)
Have you confirm this with VMware? Wonder how it would detect if it's a stand alone or not...all you do is provide the VIP/instance name.
DeleteI have a case open with VMware support in regard to connecting to an SQL Cluster\instance name. I tried to connect to the SSO DB with "Hostname\Instance" but it failed every time. Once I removed the instance name, the SSO installation successfully connected to database and the installation completed without any issues. I have read the installation guide and other blogs and there nothing noting about database instances. VMware support has confirmed this and should be updating their documentation.
DeleteYeah SSO only supports the default instance, in a standalone configuration (non-clustered). It may be possible to configure the JDBC string to use a named instance, but I haven't had luck so far...
DeleteIt supports a cluster fine. We're using it with our SQL 2008R2 DB cluster. At the screen where you have to enter the location of the DB server just enter the fully qualified name. Do not enter \instancename - ex - server.domain.com is only needed. Also keep in mind clusters do not use port 1433. Each instance uses a different port and it's typically dynamic. Hard code the port using SQL Server Configuration Manager.
DeleteHave successfully installed SSO on a clustered MSSQL 2012 Ent non-default instance with no issues. vCenter 5.1 also installed fine on it. YMMV.
DeleteThanks for the guide and the quick updates - it's been extremely helpful in getting my vCenter 5.1 installed.
ReplyDeleteDerek,
ReplyDeletethanks for your info. I have a quick question, we have two site separate vc/sq server what is the best way to install the new vsphere 5.1?
Anonymous, there are several considerations when looking at a production deployment. Such as high availability, planned usage, DR, etc. So I'd suggest reading VMware best practices and asking more specific questions in the VMware forums.
ReplyDeleteHi Derek,
ReplyDeleteGreat guide... but I couldn't even manage to get past the first step. I can't even manage to get a certificate into SQL, as Configuration Manager won't recoqnise any of them as I can't work out how to get the option "KeySpec" to be "AT_KEYEXCHANGE" out of my Certificate Services CA.
Did you use OpenSSL to request your SQL certificate, or just request it through the MMC?
Mark, the SQL certificate is fully optional. That certificate can be requested via normal Microsoft methods like the MMC, or auto-enrollment. No OpenSSL needed for any MS products that I'm aware of.
DeleteHi Derek,
DeleteI understand the SQL encryption is optional, but I wanted to set it up "the proper way", so that when we come to do it in production things are done right.
I got the certificate, but then the installer bombs halfway through with "Error 29114.Cannot connect to DB".
I've tried everything I can think of (mainly following the advice about disabling IPv6) and I'm now pretty much convinced that aside from your experience, getting this to work with SQL over SSL isn't possible.
It's a shame, because this would have been really good for us.
Glad you want to do it the "right way"! Have you successfully used SQL encryption with the ODBC connectors and vCenter/VUM? Or does that fail too?
DeleteHi Derek,
DeleteIt just will not work with Force Encryption set to yes. If set to yes, the ODBC connector connects just fine. I also get an error on the SQL box during SSO installation saying:
"Encryption is required to connect to this server but the client library does not support encryption; the connection has been closed. Please update your client library."
If I turn Force Encryption off, I can still specify encryption in the JDBC URL, both the blind trust method and using the jks.keystore - and installation will succeed. of course I need to sniff the traffic to see if this is the case.
Very strange!
Mark, that is odd. Because of initial encryption issues with SSO I turned 'forced off' but got both the blind trust and the trusted method to work. I haven't tried a fresh SSO install with SQL forcing encryption to see what happens.
DeleteWe had a similar issue where when we started the SSO install using the newer 5.1A release it gave a network error right away, something regarding ipv4 and ipv6. We also could not connect to the DB. Nothing we did with the adapters or networking revolved this. What I ended up doing was installing SSO using 5.1GA - the original release - and that worked fine, and then upgraded to 5.1A.
Deleteon this step do i need to create the cert for SQL server?
ReplyDeleteAnonymous, creating a certificate for the SQL server is totally optional. Best practices would tell you to encrypt database access across the wire. But everything will work fine in clear text, or using some other encryption method like IPsec.
DeleteI issued a SSL cert to my SQL Server using the following guide:
ReplyDeletehttp://thesqldude.com/2011/10/22/to-ssl-or-not-to-ssl-that-is-the-question/
I had no problems with the cert showing up in my dropdown to choose from. I have tested connections both encrypted and non-encrypted and currently have the Force encryption turned off so I can use it eitehr way.
For the life of me I cannot get the JDBC string to connect to it with encryption on. I can connect fine without it using Windows Integrated or supplying the RSA_USER and RSA_DBA logins. I used the provided SQL scripts to setup the users.
I can't connect using either the keystore or the blind trust certificate methods. Below are the JDBC strings I have tried.
jdbc:sqlserver://;serverName=MPBCK.INucoda.net;port=1433;databaseName=RSA;integratedSecurity=true; encrypt=true;trustStore=C:\Users\Vcenter\jks.keystore;trustStorePassword=xxxxxx
jdbc:sqlserver://;serverName=MPBCK.INucoda.net;port=1433;databaseName=RSA;integratedSecurity=true;encrypt=true;trustservercertificate=true
I have tried also putting a space before encrypt=true and still nothing. Most the time in the logs I either see "Database user and Password is not provided" or "No Database Name is provided".
The no DB name error makes me think there is a problem with my syntax/formatting of the string as the db name is provided correctly and works fine without any of the encrypt stuff in the string.
I'm having the same problem. Still digging. Did you figure it out?
DeleteHave you had success using SQL encryption with the vCenter/VUM databases using the ODBC connector?
DeleteI get a Kerberos error in the System event log when I set the jdbc string to connect to the SQL server using encryption. "0x7 KDC_ERR_S_PRINCIPAL_UNKNOWN". Probably a problem with SPNs, though they look ok at first glance.
DeleteYes, vCenter and VUM are using encrypted ODBC connections with no problems.
DeleteCould be another SSO bug..if you have VMware support you might try opening a case with them.
DeleteMight have to do that. I cleared up the Kerberos error, but that was a red herring. Still can't establish an encrypted session with the jdbc options.
DeleteI have the same issue with the JDBC connection string as Chris, the error I get is:
Delete------------------------------------------
Database user and Password is not provided
[2012-10-01 07:31:12,529]ERROR 14703[main] - com.vmware.vim.installer.core.logging.CoreLoggerImpl.error(?:?) - Failed to established connection :com.microsoft.sqlserver.jdbc.SQLServerException: Connection reset
------------------------------------------
If I remove the encryption parts (keystore or blind cert trust) from the string everything works
I'm now looking at Network Monitor trace files to see if I can unpick what’s going wrong when Java is trying to connect to my sql server using TLS.
I would be nice to compare a trace file of a working installation using the local keystore and the blind cert trust.
VC and VUM encryption working fine, I suspect because it's using ODBC rather than JDBC.
I am also having this same issue with no resolution so far. Would be very interested in knowing the resolution if anyone figures it out.
DeleteJust an note on the "Databse user and password is not provided" error. If I do the installation without encryption but specify the incorrect port I get the same error in the log. After correcting the port the install works(again this is without encryption). If I try to enable encyption I get the same error even with the correct port. Makes me think that error message is not very useful.
DeleteAny luck on this issue ?
DeleteDid any of you work out the error where adding the ";encrypt=true;trustservercertificate=true" portion caused a failure but if you leave it off then it goes through?
DeleteDid any of you work out the error where adding the ";encrypt=true;trustservercertificate=true" portion caused a failure but if you leave it off then it goes through?
DeleteI changed the string to the following and had it work:
encrypt=false;trustservercertificate=true
can i create a database on the same server that vCenter 5.1 is installed or should i separate the database to a different server?
ReplyDeleteAnonymous: If you are just doing small test lab then sure you could put them on one box. But for anything in production I would separate them.
ReplyDeleteChris, that is odd, as both methods worked fine for me. I didn't need any spaces in the string to make it work.
ReplyDeleteWould vCenter have any problems working with certs where the CA issuer has a "-" in its computer name? IE: MP-CA.inucoda.net.
Deletehaving an error wheninstalling vSphere Update Manager on the same server that vCenter is installed: setup failed to connect to the database, please make sure that you entered the correct DSN username and password.
ReplyDeleteany suggestions.please advise.
Anonymous, did you validate the database connection via the ODBC GUI? If that validation works, then VUM should easily install. If the ODBC verification fails, then you have an authentication problem. Need to check the VUM database permissions and validate the account used to access it has the proper permissions.
DeleteDear Derek,
ReplyDeleteThank you this valuable material. Prior to doing a fresh installation I actually tested upgrading to 5.1 in my lab environment which went pretty smooth. On the other hand today I tried installing it from scratch and I keep getting this error every time I try to access my vCenter via vSphere Client 5.1.
---------------------------
Could Not Connect
---------------------------
vSphere Client could not connect to "server.domain.tlds".
An unknown connection error occurred. (The request failed due to an SSL error. (The request was aborted: Could not create SSL/TLS secure channel.))
---------------------------
OK
I've been troubleshooting this since more than 8 hours now :/.
Hi Abdullah,
DeleteI have been having the same issue with to success. Could you please update this comment if you find the solution?
Thank you.
Abdullah and Joe, did you verify the rui.key file has the proper headers in it? Check out step 4 in this post: http://derek858.blogspot.com/2012/09/vmware-vcenter-51-installation-part-2.html
ReplyDeleteI had a couple addition based on going through this.
ReplyDeleteIn step 7 using the "*" character will also result in an error. Using a "." is a special character that will work however.
In step 12 a few extra steps are needed if the database is configured to use a different SQL instance.
First the database instance needs to be configured to listen on a specific port, such as 1435.
Second the jdbc line needs to be specified in the format.
For example
jdbc:sqlserver://SERVER.DOMAIN.COM:1435;instanceName=INSTANCE;databaseName=SD01_VMware_SSO;integratedSecurity=true;
This page led me to that solution.
http://it.christman.co.uk/vsphere-5-1-single-sign-on-sql-named-instance-error/
Alan, thanks for the feedback! I've updated the steps you pointed out, in case someone was going through the install before they read all of the comments.
DeleteUnfortunately it looks like I may have spoke too soon about Step 12, with the database instance. While that does get through the initial configuration, I think there is something missing.
DeleteWhen I got to the third post in this series I ran into problems with the ssolscli.cmd I was receiving 404 errors, in investigating some of the log files I saw several jdbc errors that the database was not specified. Eventually I just abandoned using a SQL instance.
Alan
Derek/Alan,
DeleteAny final word on using a SQL database instance with SSO. Vcenter and VUM? Will SSO supports a SQL database instance completely.
I also have a Question, Is there anything wrong with creating the primary node and leaving it for future HA need?
Deepu
@Deepu: SSO is fully supported with the proper versions of MS SQL server. No SQL 2012 support, last I checked. Yes you can create a primary SSO node, and make it HA later.
DeleteDerek,
ReplyDeleteThank you for this awesome post! It helped me replace certs on my vCenter 5.1 and get it up and running.
Could you make the following updates?
1. changing the password for PFX files is not recommended (leave as testpassword)
2. can you add sections to update SSL certificates for ESXi Dump Collector, Syslog Collector, Auto Deploy, and Authentication Proxy?
3. also i would suggest having two seperate blog sequences
3a The recommended one, has certs generated as you have stated, and then follows with predeployment.
3b The not recommended one, has certs generated as you have stated, and then does the hokey replacement process briefly described in VMware's 5.1 SSL replacement document.
Anonymous,
DeleteThanks for the feedback. I did update the SSL certificate generation with a note that "testpassword" is required and should not be changed. At this point the SSL situation is such a mess that I'm not attempting to replace any more certs until VMware comes out with a update and new documentation.
This is incredibly useful information... Thank you!
ReplyDeleteI came across your blog because after installing the SSO service, I was unable to get the Inventory service to register with SSO... it was reporting an "invalid password". I tried using the "SSOPass" script to reset the admin@System-Domain account, but I got a "failed SSL Handshake" error. Amazingly, SSOPass refused to accept the self-signed cert generated by the SSO Service installer.
By following your directions in exacting detail, I was able to get SSOPass to start working again.
In step 7, you very helpfully cite some special characters that should not be used for the admin@System-Domain account. I discovered additionally that the ampersand (&) character is invalid for use in the password. If you use it, the installer will hang because at one point a command is passed java.exe containing this password, but the command gets truncated at the ampersand, and java.exe never exits.
ReplyDeleteAdditionally, the password cannot be 36 characters in length. Installation will succeed with a long password, but the command line utilities (such as SSOPass and SSOCLI), and the Inventory Service installer will fail when using a long passphrase. I am not sure what the max passphrase length is, but I am now having success with a 16-character passphrase. (Which I will have to change more frequently now owing to the reduced complexity. Boo!)
Thanks for the additional information. I updated the password section with your input.
Deletehow to configure cert for SQL SSL server? please advice. thanks
ReplyDeleteJust thought I would let you know, I found an article from VMWare that describes what characters are not allowed for the SSO password in step 7.
ReplyDeleteThe article is http://kb.vmware.com/selfservice/microsites/search.do?cmd=displayKC&externalId=2035820
Essentially the invalid characters are as follows.
^
*
$
;
"
Alan
Thanks Alan..I updated my post with the characters and put in the link you mentioned.
Deletei have this error when i add this line to the end of the jdbc encrypt=true;trustservercertificate=true i think the sql server need to do anything before we can connect to it with this add on line?, or do we need to add the encrypt line? advice! VMware support have no idea why we need to add this line to the end of the jdbc:// Derek can you adive on this? thanks
ReplyDeleteYou only need those options if you want to establish an encrypted connection to your SQL server. If your SQL server is not configured for encryption, then those options are not needed and will cause the install to fail.
DeleteGreat Post! Part 1, number 17 states "After the SSO service installs, it generates a number of unique passwords ..." I didn't not see any passwords generated. Will that be a problem? Now, how do I find out the passwords? I am using self-sign SSL.
ReplyDeleteAnonymous, it doesn't display the passwords on the screen automatically. You have to run the command in Part 1 step 17 to show the passwords.
DeleteHI Dereck, would you have or know whre to find tutorials on how to add an aditional (already created) datastore to a host? please let me know. Thank you.
ReplyDeleteExcellent write up, Derek. Thank you very very much.
ReplyDeleteIt would be ACE if you could do an identical series, but with the vSphere Appliance (rather than a Windows based VC).
Of specific interest is getting SSO/SSL working with both valid, and internally issued certificates.
Thanks ! (from Chicago)
Thanks for the feedback. Depending on my time, I'll see what I can do. Not at the top of my list, as I have a lot of new Windows Server 2012 stuff I want to publish.
ReplyDeleteGREAT Article. Infact it cant get better for all those who are struggling to get this to work.
ReplyDeleteI have a quick Question on the RSAUTIl -Manage-Secrets --Action List command. What is the Master Password that we need to provide here?
The Password of the "admin@System-Domain" User.
DeleteAfter a disaster upgrade to 5.1 I found your blog, can you elaborate on this statement: "UPDATE 10/7/2012: VMware may be releasing an update to vCenter 5.1 later in October that should address many of the SSL problems"
ReplyDeleteWhere did you find this at? I am delaying my upgrade until this update is available and would like to monitor its release. Thanks!
@Anonymous: The fix/patch/update has been delayed a few days. No ETA as of yet.
DeleteHi
ReplyDeleteThere is lots of post install DB scripts when you use a remove DB, do we need to use this?? Since I am installing this on SQL that is not the same server for the vCenter. I have run the scripts for the DB install, and all is ok, but having some problem with the post install SQL Scripts.
Thank You
JL
Hello everybody.
ReplyDeleteI got error message "Error 29114.Cannot connect to DB" too.
I edit script (contained on vCenter dvd) rsaIMSLiteMSSQLSetupUsers.sql with my passwords and run it. After that, installation wizard works fine and don't got error.
Hi Derek & all
ReplyDeleteWe are very happy having found this amazing guide. But we hang at step 17, because installation fails with Error 20030. Relating to C:\Users\VMWARE~1.SER\AppData\Local\Temp\1\vim-sso-msi.log we have found only few details:
MSI (s) (E0!34) [09:21:01:507]: Product: vCenter Single Sign On -- Error 20030.Failed to create package for MultiSite.
CustomAction VM_CreatePackageInstance returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox)
MSI-Error 1603 seems to be a generic MSI error, but nothing can be found to 20030. Any experience or ideas?
@Guardean: That's an error that I have not encountered. I would open a support ticket with VMware and see what they say.
DeleteHi,
Deletei am getting the same error message when i put our load balancer fqdn adress in the field, where you configure your local system information. I only got it when putting the local server fqdn.
Frank
Hi Derek,
ReplyDeleteRead through all your guide and found it excellent! Thanks very much, learnt a lot regarding SSL! =)
One question though - What would the process look like if you plan to use the vCenter Server Simple install (which installs everything in one go)?
Would you create and pre-stage the SSL certs before starting the install?
So basically:
1. Ignore the SSO install at the end of part 1
2. Create the SSL certs in Part 2
3. Pre-stage the certs according to your pre-stage post
4. Create DBs and complete the vCenter Simple install
5. Update the SSO certs according to Part 3.
Does that sound like the general gist of things?
BTW, do you know what the limits of a simple install are? VMwares' docs say it's appropriate for "small deployments" but don't list how many hosts/VMs are in a small deployment!
Cheers,
AP
Any chance of doing a Windows Server 2012 with a local SQL 2012 version of this?
ReplyDelete@Derek: Those are not officially supported. I would not use them in any production environment.
DeleteTrue... but I just did it and it's working like a charm.
DeleteWell, with one exception that the Storage service didn't get installed. This means the storage views are not available.
Will probably go back to Win2008 R2 for the OS and a local SQL 2008 R2 Standard server, but it would be nice to have it on the latest and greatest.
Found this missing from Section 14, part G.
ReplyDelete;trustservercertificate=true
SSO installer will create the RSA_USER and RSA_DBA accounts properly now in the installer. If the accounts are created manually, the database table structure SQL scripts need to be run to populate it before letting the SSO installer begin the install process.
ReplyDeleteUsing all the (14?) posts I was able to setup a fully functioning vCenter server. I then started to go through again to install a second server in a multi-site configuration. I selected "Join an existing vCenter Single Sign-On" option. After giving the credentials for my existing vCenter server, the install fails with:
ReplyDeleteFailed to get type of server, Exception :com.vmware.vim.sso.admin.exception.InternalError: General failure.
Has anybody else been able to get a multi-site install working?
I am getting the same error. Looking at the log it appears to talk to the first SSO server and recieve a valid certificate, then get the error you have posted.
DeleteHas anyone got this working?
I've got this working now. I believe the problem is using port 636 for the ADAM SSL port. Note that on the following page, step 14 has been updated to NOT use port 636 in a multisite install:
Deletehttp://derek858.blogspot.com/2012/09/vmware-vcenter-51-installation-part-7.html
Use port 7444. See page 242 of vSphere Installation and Setup - vSphere 5.1 pdf.
DeleteYou create the database by script but create the db accounts with studio. In the installation source there is a script called "rsaIMSLiteMSSQLSetupUsers.sql" for that task.
ReplyDeleteIMHO it would be more consistent to do both via script.
Just an attempt to make a great article a little better.
grubi.
@Guardean Had the same problem, verify DNS for SSO
ReplyDeleteDerek - have you done any testing with multisite config? I seem to be unable to get past the step where it tries to validate against the primary. I have a fully functional vc setup with SSO, but it just hangs on the second SSO server install when I put in the FQDN, port and password. Following your steps, I've replaced my certs, and the primary site is working fine, but I'm wondering if maybe the certs are the cause for the secondary site?
ReplyDeleteI have a ticket open with VMware, but haven't received a response from them yet.
As others have reported, I can't get the SSO installation to work with JDBC using SSL. I created a jks.keystore as described above and selected a SSL certificate on the SQL server. I used the JDBC connection string jdbc:sqlserver://;serverName=vCenter.mydomain.com;port=1433;databaseName=RSA;integratedSecurity=true;encrypt=true;truststore=C:\ProgramData\VMware\SingleSignOn\SSL\jks.keystore;truststorepassword=mystorepassword. During the installation I get Error 29115. Cannot authenticate to DB. This happens with Force Encryption either Yes or No on the SQL server. Looking at the SQL Management Studio, I see that the installer has deleted the SQL logins for RSA_USER and RSA_DBA, so no wonder it can't authenticate. It's not clear if or how others have gotten past this other than by not using JDBC SSL. I'd like to try installing SSO without JDBC SSL, which I can do successfully, and go back after the installation and alter the JDBC connection string for SSL. Does anybody know where that connection string is stored? Thanks. Jeff.
ReplyDeleteSir,
ReplyDeleteThanks for how to 5.1 post - the SSO / 7 part install guide helped clear up some of the mystery of the prepod deployment that was underway.
Regards,
Linux\Win/Droid
Hi - Really great work! One question, I have created a vcenter service account (vmlab\vcenter-service). Account is added to local admin group on vcenter server. But when I use it in the install wizard (deselect use network service account") it always says "Could not find the specified user on provided domain" when clicking next. Im am sure password is correct. If I use the domain administrator it passes to next screen. Any idea what Im missing? Kind regards, Bjørn.
ReplyDeleteWow, this is an excellent piece of blog!
ReplyDeleteHow do we reconfigure SSO in vCenter 5.1 (Windows version)? The Simple install was chosen as an external SSO wasn't setup then. Now that we managed to get a standalone SSO working, we need to reconfigure the vCenter to point to this external SSO server. But I can't find any info on our manual. I tried reinstalling the SSO component. Instead of allowing me to choose (Create primary node, Join, Recover), it simply went ahead to install.
Thanks from Singapore
e1
Hi Derek,
ReplyDeleteI get all the way through step 13 (i clicked connect to my sql 2008 r2 database on a separate server, not the server vcenter is on) it connects without ssl and when i go back and add ;encrypt=true;trustservercertificate=true i get the error database connection has failed. refer to vm-sso-javalib.log for more information. There really isn't much information in this log. Its just saying failed to establish a connection, connection reset? I'm completely lost i've searched google now for a few hours with no luck :/
Using SSL with SQL is not required, but as I mention in the article, certainly recommended. Are you 100% SSL on the SQL server is configured properly? Can you configure an ODBC connector to the SQL server using the SSL option? If not, then you have a larger problem with SSL than the SSO service being stubborn. I would also telnet to port 1433 on your SQL server to make sure it's listening..should come up with a blank screen.
DeleteThanks Derek, I figured out the problem. I did not have sql 2008 r2 service pack 2 installed. As soon as i did that, it connected right up when i changed the JBDC string to enclude encrypt and trustservercertificate . I was following someone else's guide to install SQL 2008 r2 and they said do not do any service packs. But after reading this: http://support.microsoft.com/kb/2653857 and applying sp2 everying is working great! I got all the way through and have SSO installed now. Thanks again for this write up, this is extremely helpful!!
DeleteTHANK YOU DEREK!
ReplyDeleteGreetings from Germany!
Tommy
Hi Derek,
ReplyDeleteFacing very weird issue right now, i upgraded the vCenter to 5.1. I see i cannot login to vcenter but my colleague can login. If i try to login to webclient same error (authentication failure), if my colleague try to login to webclient he can. We both belong to same administrators group. There are 20 users who are facing similar problems. For time being i have disabled the SSO. However please mention in Red that VMware's DB creation file has typo. I just came across that via comment entry. If you could provide some direction it would be great help or i have to work with vmware support. oh SSO..SSO...:(((
To update all "the typo" which I'm referring above is actually not a typo.
ReplyDeleteOur issue is resolved. we called vmware support and they quickly found that account which was used for installing SSO didn't have sufficient privileges to read attributes of all accounts in AD. We got our domain admin to use his credentials and it worked. So when you add identity source, and you are using reuse session then ensure that you full rights on AD. If not check this KB:http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2037546.
.Hi Derek. I came across your site via Google. I had install SSO5.1 the simple way and decided to build a Windows 2012 domain and do an enterprise install, DC, CA, SQL2012, and vCenter/SSO on their own vm's. A few hiccups on SQL now resolved (I know it's not supported yet, but...) anyway I found your work on certificates so I am following it and building as I go along. Everything was great until I tried to create the keystore. No amount of changes would get it to work until I had a brainwave, type cmd in powershell and it worked! Tah Dah! I did not know powershell could not deal with the path statement that cmd could. We live and learn. Thanks for great work you have put in, I will link back to you
ReplyDelete@Peter: Glad the posts were a help! Just wish they weren't needed..if VMware documentation was up to par.
DeleteThank you very much for your very useful guides Derek.
ReplyDeleteI would like to install a complete fresh installation of vCenter 5.1.0a with your guides and public SSL-certs. VMware has released today version 5.1.0b, does your guides fit to the new release? I'm asking because didn't like to install outdated versions :)
@Simon: No, the articles have not been updated for 5.1.0b. I won't have time anytime soon to revise any articles. 5.1.0b seems to be mostly bug fixes, so the basic install procedure should work, but hopefully without as many problems.
DeleteI hit a brick wall ... in the installation window that said Single Sign On information admin@System-Domain / Password next line Lookup services URL
ReplyDeletefilled the line with the following url https://vcenter.labo.local:7444/lookupservice/sdk , hit next and I got the following error message
Could not contact lookup service. Check vm_ssoreg.log in system temporary folder for detail ... see below can someone please help me figure why it wont let me install ? Thank you.
[2012-12-24 16:52:18,286 main ERROR com.vmware.vim.install.cli.commands.CommandArgumentsParser] Unable to connect to server
[2012-12-24 16:52:18,286 main INFO com.vmware.vim.install.cli.RegTool] Return code is: ServiceNotResponding
[2012-12-24 16:52:27,319 main DEBUG com.vmware.vim.install.cli.RegTool] $Id: //depot/vicore/vicore-vsphere51p01/regtool/viregtool/src/main/java/com/vmware/vim/install/cli/RegTool.java#1 $
[2012-12-24 16:52:27,335 main DEBUG com.vmware.vim.install.cli.RegTool] Executing command: validateLsConnection -c C:\Users\VCAdmin\AppData\Local\Temp\{A4400513-2688-45A9-8439-CA991F4E4106}\certs -d https://vcenter.labo.local:7444/lookupservice/sdk -u admin@System-Domain -p *****
[2012-12-24 16:52:28,723 main INFO com.vmware.vim.install.impl.RegistrationProviderImpl] Intializing registration provider...
[2012-12-24 16:52:28,723 main INFO com.vmware.vim.install.impl.RegistrationProviderImpl] Getting SSL certificates for https://vcenter.labo.local:7444/lookupservice/sdk
[2012-12-24 16:52:30,049 main DEBUG com.vmware.vim.install.impl.RegistrationProviderImpl] Establishing socket connection to vcenter.labo.local/10.0.0.3:7444. Timeout is 60000
[2012-12-24 16:52:31,079 main ERROR com.vmware.vim.install.impl.RegistrationProviderImpl] Unable to connect to server
[2012-12-24 16:52:31,079 main DEBUG com.vmware.vim.install.impl.RegistrationProviderImpl]
java.net.ConnectException: Connection refused: connect
at java.net.PlainSocketImpl.socketConnect(Native Method)
at java.net.PlainSocketImpl.doConnect(PlainSocketImpl.java:351)
at java.net.PlainSocketImpl.connectToAddress(PlainSocketImpl.java:213)
at java.net.PlainSocketImpl.connect(PlainSocketImpl.java:200)
at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:366)
at java.net.Socket.connect(Socket.java:529)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.connect(SSLSocketImpl.java:564)
at com.vmware.vim.install.impl.RegistrationProviderImpl.getSslCertificates(RegistrationProviderImpl.java:312)
at com.vmware.vim.install.impl.RegistrationProviderImpl.initialize(RegistrationProviderImpl.java:220)
at com.vmware.vim.install.impl.RegistrationProviderImpl.(RegistrationProviderImpl.java:133)
at com.vmware.vim.install.RegistrationProviderFactory.getRegistrationProvider(RegistrationProviderFactory.java:143)
at com.vmware.vim.install.RegistrationProviderFactory.getRegistrationProvider(RegistrationProviderFactory.java:60)
at com.vmware.vim.install.cli.commands.CommandArgumentsParser.createServiceProvider(CommandArgumentsParser.java:253)
at com.vmware.vim.install.cli.commands.CommandArgumentsParser.parseCommand(CommandArgumentsParser.java:99)
at com.vmware.vim.install.cli.commands.CommandFactory.createValidateLsCommand(CommandFactory.java:36)
at com.vmware.vim.install.cli.RegTool.process(RegTool.java:86)
at com.vmware.vim.install.cli.RegTool.main(RegTool.java:33)
[2012-12-24 16:52:31,125 main ERROR com.vmware.vim.install.cli.commands.CommandArgumentsParser] Unable to connect to server
[2012-12-24 16:52:31,125 main INFO com.vmware.vim.install.cli.RegTool] Return code is: ServiceNotResponding
No luck on the SSL configuration. I opened a ticket and VMware questioned whether it was even supported. I was able to connect to the database with an encryption enabled ODBC SQL server connection. I would like to use the encrypted connection later if possible.
ReplyDeleteInstalling the 5.1.0b version of vCenter.
ReplyDeleteDuring the SSO installation I came across two SQL issues:
1. Error 29114. Cannot connect to DB
This issue is occurs when the SSO database RSA (default SSO DB name) does not meet the prerequisites for the SSO installation and the RSA DB table space RSA_INDEX has a filegroup type of PRIMARY, instead of RSA_INDEX.
I had to change this manually in SQL Server Manager
http://kb.vmware.com/selfservice/microsites/search.do?cmd=displayKC&docType=kc&docTypeID=DT_KB_1_1&externalId=2036318
2. And again, Error 29114. Cannot connect to DB
This one is an unexplained error. I used the VMware outlined account of “RSA_USER” The account was added as a local security login for the SQL server (not AD) and security users for the RSA database. During the install of SSO, the account is deleted from Security->Users and I get the above error. When I use “SSO_User” (or any other name) the install proceeds as expected.
If I followed “Anonymous November 1, 2012 1:08 AM”, this would not have been an issue I imagine.
Thank you for your outstanding, comprehensive cookbook approach to this subject. Huge help in tackling a complex application install.
Is it possible to change the JDBC URL after installation? The first time through I was lazy and didn't enable the SSL steps... now I want to go back and change it.
ReplyDelete@Andrew: I don't know..I would hope so, but I don't have the procedure.
DeleteHi Derek, we have vCenter 5.0 U2 all on the same machine, and with 5.1, I'd like to split off SSO and the Inventory Service to a separate box. Do you think this'd be possible, if so, what are the basic steps I'd need to perform?
ReplyDeleteCheers
@Mike: Yes, you can distribute the 5.1 vCenter roles to different servers. Basic install process is the same, except you will need certs with the appropriate hostnames. Install in the same order as my blog.
ReplyDeleteWanted to say thank you for the post. The script also worked perfectly. This helped me implement the upgrade from 4.x to 5.x vCenter today. /SALUTE
ReplyDeleteGreat guide! This helped me alot when upgrading to 5.x!
ReplyDeleteHi Derek,
ReplyDeleteWhile installing Vcenter on windows sever 2008 r2...I am getting error..saying that..
Could not connect lookup service.Check Vm_ssoreg.log in system temporary floder for details.
SQL Instance issue resolved:
ReplyDeleteHere is the catch. You can use SQL cluster instances for SSO DB. If you are using the JDBC, then there is no need to specify the instance name. If you specify the instance name, it will fail. JDBC uses the port and sql server name to identify the database.
cheers
Deepu
SQL INSTANCE ISSUE RESOLVED
ReplyDeleteIf we are using a SQL clusterd database with an INSTANCE , we should not be providing the instance name when configuring the database. it uses the server name and the port address to identify the instance.
if you provide the instance name, the installation will fail with a connection error. Most of us are familiar with ODBC ( Which supports Instance), having this knowledge can save your time.
cheers
Deepu Cherian
Hi Derek
ReplyDeleteGreat blog, but question why using OpenSSL 1.x when Vmware requires the use of openssl 0.9.8 (MUST). I am in trouble installing inventory service (install hangs) and opened an SR with Vmware. They asked me to redo the whole procedure using their KB :-(
kind regards, yvan
@Anonymous: OpenSSL 0.9.8 and earlier use a different hashing algorithm when you are creating the trust store with the filnames ending in .0. However, the newer versions of OpenSSL have a flag to use the old hashing algorithm. So I haven't seen any problems, as long as you use the right flags (which are in my steps).
DeleteHi Derek
ReplyDeleteGreat job with this blog
Do you know any about this error?
Could not inject STS certificates into adapter servercom.vmware.vim.dataservices.ssoauthentication.exception.ServiceCommunicationException: com.vmware.vim.sso.admin.exception.CertificateValidationException: com.vmware.vim.vmomi.core.exception.CertificateValidationException: Server certificate chain not verified
I had been tring to install SSO in high Avail, SSO install ok on both servers. The inventory install ok but I recieve the error above.
When I try to install vcenter I get the error return 6
Thanks
@Anonymous: Yes, it looks like there is something wrong with your root certificate trust. SSO is unable to validate the CA that issued the certificate(s) you are trying to use.
DeleteThanks for your response. I use default certificates on my first instalation and also I use certificates my own Windows PKi. Both cases I receive the same error. :(
DeleteInventory Log
com.vmware.vim.dataservices.ssoauthentication.impl.AdapterServerCertificateInjector] Could not inject STS certificates into adapter servercom.vmware.vim.dataservices.ssoauthentication.exception.ServiceCommunicationException: com.vmware.vim.sso.admin.exception.CertificateValidationException: com.vmware.vim.vmomi.core.exception.CertificateValidationException: Server certificate chain not verified
Vcenter Log
Mware VirtualCenter-build-947673: 02/04/13 16:16:44 Return code is 6 (successful operation however may not necessarily need return code 0.
VMware VirtualCenter-build-947673: 02/04/13 16:16:44 An error occurred while talking to the SSO admin service Res: 6
Do you have any idea?
this release is the worst installation of a piece of software that i've ever experienced!!! this is absolutely retarded! did anyone test this thing before releasing a crap product this time around? for shame vmware. VMM and is looking pretty good right now considering the cost of vmware and the bs in dealing with vcenter
ReplyDelete@Anonymous: Many people would probably agree with you. I think VMware really shot themselves in the foot (or head) with the very rushed 5.1 release. Really tarnished their reputation and at a very bad time with Hyper-V 3.0 making such strides in features and scalability.
DeleteHi Derek,
ReplyDeleteYour articles were really helpful. Thanks for putting it together.
I am trying to figure out how to configure HA (19 Attempts till now)
I am using Stingray Traffic manager.
Also referring KB2033588.
In Lab 1st I Installed Node1(SSO-A), replaced ssolscli.jar, installed Node2(SSO-B) as secondary node. made changes to server.xml on both Nodes.
I did configure StingrayTM (virtual appliance) Virtual Server with a SSL.
Set VirtualServer to decrypt the traffic, then apply rules to Map traffic appropriately according to KB2033588.
The services got updated.
Issue: After updating services on SSO-B SSOlscli listServices in giving error when trying to communicate on https://ssoha.vhomelab.com:7444/sso-adminserver
from SSO-A the services are getting listed and listing URL https://ssoha.vhomelab.com:7444/.... for all 3 services.
Two things I cant figure out.
1. In this kind of scenario do I have to install SSL on both nodes even after configuring HA?
If Yes, I dont think I will have to update the services, coz the services will be pointing to HA URL ie. ssoha.vhomelab.com.
2. As per the KB, /groupcheck is mapped to /sso-adminserver on both nodes and /sso-adminserver maps to /sso-adminserver on Primary node (SSO-A).
If Node1 (SSO-A) fails and the incoming request is for /sso-adminserver, then where this request will go? coz KB also says Admin Server is only on Primary Node.
:-(
@Wasim: Given the fragility of the SSO service, I haven't dared to try a full HA configuration. So I don't have any experience to help you out. I would open a support ticket with VMware and report back to us any tip they had.
DeleteHi Derek,
DeleteI have successfully implemented SSO behind virtual Load banalcer.
If you can have a look at it and point out any mistakes or flaws I might have made unintentionally. It will help me to revise the article and knowledge that I am willing to shared.
Please check the article at http://vhomelab.com/?p=880 or http://msxchange.wordpress.com/2013/02/12/vcenter-5-1-installation-and-vcenter-single-sign-in-high-availability-using-load-balancer/
your comments are highly valuable.
Hi Derek,
ReplyDeleteYour articles were really helpful. Thanks for putting it together.
I am trying to figure out how to configure HA (19 Attempts till now)
I am using Stingray Traffic manager.
Also referring KB2033588.
In Lab 1st I Installed Node1(SSO-A), replaced ssolscli.jar, installed Node2(SSO-B) as secondary node. made changes to server.xml on both Nodes.
I did configure StingrayTM (virtual appliance) Virtual Server with a SSL.
Set VirtualServer to decrypt the traffic, then apply rules to Map traffic appropriately according to KB2033588.
The services got updated.
Issue: After updating services on SSO-B SSOlscli listServices in giving error when trying to communicate on https://ssoha.vhomelab.com:7444/sso-adminserver
from SSO-A the services are getting listed and listing URL https://ssoha.vhomelab.com:7444/.... for all 3 services.
Two things I cant figure out.
1. In this kind of scenario do I have to install SSL on both nodes even after configuring HA?
If Yes, I dont think I will have to update the services, coz the services will be pointing to HA URL ie. ssoha.vhomelab.com.
2. As per the KB, /groupcheck is mapped to /sso-adminserver on both nodes and /sso-adminserver maps to /sso-adminserver on Primary node (SSO-A).
If Node1 (SSO-A) fails and the incoming request is for /sso-adminserver, then where this request will go? coz KB also says Admin Server is only on Primary Node.
:-(
Nice post, Derek! I was writing a post / video combo on the SSO database and found your article, you're added as a resource to visit!
ReplyDeletehttp://wahlnetwork.com/2013/02/04/successfully-installing-vcenter-sso-part-1-sql-database/
Very nice post !
ReplyDeleteI'm installing SSO in HA using a hw load balancer.
You suggest to enter the FQDN of the VIP for the primary node installation.
What I have to enter for the secondary node installation when the installation wizard asks for :
1) SSO primary node fqdn or IP ? (SSO_primary_node_fqdn or VIP_fqdn)
2) local system FQDN or IP ? (SSO_secondary_node_fqdn or VIP_fqdn)
Thanks a lot,
Raf
@Raffaele: Given all the problems with the SSO service, I have not installed a "HA" instance with a hardware load balancer. So I can't vouch for exactly what will/won't work. I would look at VMware KBs to see if they have published any guidance.
Delete@Raffaele: please check my article at http://vhomelab.com/?p=880 or http://msxchange.wordpress.com/2013/02/12/vcenter-5-1-installation-and-vcenter-single-sign-in-high-availability-using-load-balancer/
DeleteI hope it will be somewhat helpful.
Hi, all!
ReplyDeletei have some error in step6 - database connection has failed.
Logfile sayd: [2013-02-07 11:42:56,379] INFO 0[main] - com.vmware.vim.installer.core.logging.CoreLoggerImpl.info(?:?) - Validate database connection
[2013-02-07 11:42:56,379] INFO 0[main] - com.vmware.vim.installer.core.logging.CoreLoggerImpl.info(?:?) - DB information jdbcUrl:jdbc:sqlserver://;serverName=192.168.100.15;port=1433;databaseName=D001_VMware_SSO type: Mssql
[2013-02-07 11:42:56,379] INFO 0[main] - com.vmware.vim.installer.core.logging.CoreLoggerImpl.info(?:?) - Initialize values of user DBA user SSO_DBA , other user SSO_User
[2013-02-07 11:42:56,379] INFO 0[main] - com.vmware.vim.installer.core.logging.CoreLoggerImpl.info(?:?) - DB information jdbcUrl:jdbc:sqlserver://;serverName=192.168.100.15;port=1433;databaseName=D001_VMware_SSO type: Mssql userName:SSO_DBA
[2013-02-07 11:43:26,565]ERROR 30186[main] - com.vmware.vim.installer.core.logging.CoreLoggerImpl.error(?:?) - Failed to established connection :com.microsoft.sqlserver.jdbc.SQLServerException: The TCP/IP connection to the host 192.168.100.15, port 1433 has failed. Error: "connect timed out. Verify the connection properties, check that an instance of SQL Server is running on the host and accepting TCP/IP connections at the port, and that no firewall is blocking TCP connections to the port.".
[2013-02-07 11:43:26,565] INFO 30186[main] - com.vmware.vim.installer.core.logging.CoreLoggerImpl.info(?:?) - could not close JDBC connection
WTF ?
You probably already found the answer, but you need to set your SQL server to not use dynamic ports.
DeleteHi,
ReplyDeleteHas anyone been able to get the instructions for using this with an SSL secured SQL server to work?
I followed the instructions above about using encrypt=true and have not been able to get either the install to work or the service to connect (once installed).
I found VMware KB 2035831 which states:
This issue can occur if the Force Encryption option in the SQL Server Configuration Manager is set to YES. To avoid this installation error, change the setting to NO
Which seems to imply that you cannot install the SSO Server with the SSL encryption set to required.
The VMware documentation on this subject must still be sitting in draft because the current docs skim over this at a very high level and are no help.
Keeping my fingers crossed that it is possible to get this to work.
Thanks,
Craig.
Derek,
ReplyDeleteThank you very much for putting this comprehensive install guide together. They were a great help in getting a new vCenter instance set up for the View environment we are putting in.
-Steve
Great post! thanks for all the effort you have put into this. I do have a question though, I cannot get the SSL SQL connection part of the SSO install to work at all. I have followed your instructions to the letter as well as other suggestions on the VMware forums with no luck, I always get Error 29114 Cannot Connect to DB when it reaches the configure Single Sign stage during the install. (password complexity is fine, no illegal characters)
ReplyDeleteVMware's recommendation is to turn off Force Encryption on the SQL server which is a pretty poor workaround to be honest (but it works). The only difference I have is that I have an Sub-CA that handles my certificates so I imported both the root CA and sub CA into keystore.jks that I used in the JDBC string. Any ideas on what could be going wrong?
Good stuff... thank you for insight on this mess of a product (SSO anyway). We're just testing having built a lab for the 4.x to 5.1 planning and SSO install fails at very end with "error 29148.STS configuration error" and rolls back after clicking OK. We've used VMware's own scripts for db/tables and user creation which run fine. All prompts in installer accepted, no fancy SQL SSL config attempted initially just keeping it all very simple. Still fails. Same 29148 error and nothing found online for it so opened a ticket. Will advise... but meanwhile, anyone seen that particular error? SSO installer logs inconclusive.
ReplyDeleteFigured out the issue prior to VMware calling me back (and their support responsiveness has been increasingly drawn-out in the last year or so I must say versus the good ol days of circa ESX 2.5/3.x but I digress).
DeleteThe installer failed with that cryptic error because it didn't like a circumflex ^ character in the password of the domain account I was using for the SSPI service. While that character restriction is duly noted in the release notes for 5.0.1b where the SQL users and admin@system-domain account is concerned, there is nothing noted where the SSPI service/configuration dialog of the installer is concerned, so take note if you use a domain account rather than the default of network service acct for the SSPI service!
For those of you having an issue getting these instructions working and are getting the generic error "Database Connection has failed. refer to vm-sso-javalib.log for more information" and in the vm-sso-javalib.log you see something like this at the end of the attempted handshake:
ReplyDelete"[2013-02-15 13:33:33,519]ERROR 0[main] - com.vmware.vim.installer.core.logging.CoreLoggerImpl.error(?:?) - No Database Name is provided
[2013-02-15 13:33:33,535]ERROR 16[main] - com.vmware.vim.installer.core.logging.CoreLoggerImpl.error(?:?) - DatabaseName is either not supported or wrong :com.vmware.vim.installer.core.common.InstallException
[2013-02-15 13:33:33,535] INFO 16[main] - com.vmware.vim.installer.core.logging.CoreLoggerImpl.info(?:?) - could not close JDBC connection"
Make sure you have SQL Server 2008 R2 SP2 installed or at least the hotfix that pertains to this KB article: http://support.microsoft.com/kb/2653857
After I applied the hotfix, my installation was able to proceed past the dreaded Step 5. And thanks Derek, this guide has been a life saver.
Disregard my post about SP2 on SQL 2008 R2, it isn't in the support matrix for vcenter 5.1.......
ReplyDeletethe hotfix does seem to resolve the issue though.
@Tim: Thanks for the info! I've updated the blog post. That may be why it worked for me. I'm on SQL 2008 R2 SP2, so I didn't have any SSL problems.
DeleteMany, many thanks Derek!!! Great work and humor, I like it!!!
ReplyDeleteHadn't really considered the certificate security until I happened upon your posts Derek. Appreciate you taking the time to share.
ReplyDeleteI've been struggling like others with the forced encryption errors and have seen most of the errors listed above - spent hours so far trying to get it to work but... importantly.. I like to remind myself that I'll now remember this stuff all the more because it didn't fly straight through without a glitch ;-). Will try the SQL 2008 R2 SP2 install as I came back today to confirm what exact version of SQL you were using and then found your exchange with Tim above.
I had success up until where it said,"Configuring LookupService. It will take few minutes..." (I didn't notice the grammatical error until typing this up just now. I'm sensing a theme. Anyone else feel like a beta tester right now?)
ReplyDeleteIt fails with "Error 20010. Failed to configure LookupService."
Which I will google and get back to this.
And to add to the Force Encryption setting on the SQL Server question everyone has been asking, I can't get this to work with Forced Encryption enabled either.
The SQL patch only resolved my inability to connect using encryption with the jdbc driver.
same problem here ... I installed SP2 and I'm able to pass over database screen. Now, I have the same problem when the installation is finishing ...
DeleteIf I try install using encrypt=true without specify a cert it works, but I checked the traffic using WireShark and it is not encrypted. Its pretty the same as don't use encrypt=true option.
Diego
If you have OPENSSL installed when you are installing HA or Multisite. The installer might hang at on the "vCetner Single Sign On Type" screen. if it does open task manger and kill the openssl proccess ( maybe 2 or 3 times) and it will continue with no errors. This is a known issue but has not been publish in a kb yet.
ReplyDeleteOk, performed more testing on my environment. I can install error free on any variation of settings except when I use the JDBC string. (passes with SSPI account set to domain account and non-default installation folder)
ReplyDeleteSeeing as I get past the SQL connection page with the string and fails later on, that it's probably the key store. (It appears the SQL patch takes care of the initial jdbc connection)
My question is, working with a snapshot on the vcenter server connecting to an external database server, do I need to regenerate the keystore every time I roll the vcenter server back or can I set aside the root cert and keystore I created the first time and reuse them when I re-attempt installation.
Thanks
@Tim: I re-used all of the certificates for each install I did. However, even if you roll-back your vCenter VM, the SQL database stores a lot of data, so you need to restore/revert that back as well. Otherwise things will get hopelessly confused. I did a simple SQL backup/restore.
Delete@Derek
DeleteI'll see if that's causing the issue. I ended up start over and going to vmware's site and stepping through this bear (KB: 2034833), and basically abridging it for our environment. I also found Wasim's script he sites several threads up, which basically takes care of all the work for KB 2037432.
I'm hoping to get the connection from SSO to the Database encrypted as well, so hopefully it's something to do with the failed SSO installation modifying the vcenter database and not rolling the database back to the backup I took.
Thanks,
Tim
I've rolled the databases back, same result. "Error 29115.Cannot authenticate to DB." Where the status shows "Configuring Single Sign On".
DeleteForgot to give the account that I was running the service under access to the database. Gave it dbo access to the "RSA" database, re-ran the install after rolling everything back again. I'm back at "Error 20010.Failed to configure LookupService."
Changed the user for service authentication I was using from one that had an underscore in the name to one without, and I get "Error 29148.STS configuration error."
Going to try the default account.
I don't know how comfortable I am putting something that appears this fragile into production.
If I didn't have to replace Lab Manager, we would NOT be going to this until at least the first service pack.
I got the same error with the default setting for the service account. I think I'm going to give the jdbc connection setting a miss.
ReplyDeleteI guess I'm a glutton for punishment, I couldn't let it go and I opened up a ticket with VMware. Just got through a webex with VMware Support this morning and setting integratedSecurity to false in the JDBC string worked for me.
DeleteWith it on, I get this in the vm_vim_ls.log:
"com.microsoft.sqlserver.jdbc.SQLServerException: This driver is not configured for integrated authentication."
Thank you Derek. These articles are very useful.
ReplyDeleteI have also read several comments and I have two questions. We are going to install 2 vCenter Servers v5.1.0b (2 sites) in our organization and We don't know if We should install the vCenter Appliance (to save 2 Windows licences), the vCenter in 2 Windows 2008 VM or the vCenter in our two Microsoft Windows 2008 R2 Cluster Nodes (to save 2 Windows licences).
We are thinking about install them in the Cluster Nodes and use the SQL Server Cluster instances (We have SQL Server 2008 in these Nodes with Active-Active configuration). The problem is, that I have read comments about the SSO problem with SQL Named Instances and We don't know what We should do.
The first question is: Are there really problems to use SQL Named Instances?
The second question is: What about vCenter Appliance? Do you prefer vCenter in a Windows OS or the vCenter Appliance?
I appreciate If someone could help me with these questions
Thank you very much!
@Antonio: From reader feedback, you can use named SQL instances. However, they must be assigned a static port number. If you do that, then you just point the vCenter services to SQL server hostname/port and don't tell it the instance name. I haven't personally tried that, but from what others have said that can work.
DeleteI personally prefer the Windows version of the vCenter stack. Although I haven't looked in detail at the limitations of the 5.1 vCenter appliance, prior versions weren't on feature parity with the Windows version.
For Windows licensing, I would look at your licensing model. If you get Datacenter licenses, or ECI (enrollment for core infrastructure), you get unlimited Windows VM rights. Depending on how many VMs/servers you have, that could be cheaper than licensing each VM with standard edition.
Hi,
ReplyDeleteAfter several tests : (2 server Windows 2008 R2 SP1 + SQL Server 2008 R2 SP1 CU11 + named instance)
On SQL Server we need to set "Force Encryption" to "no" otherwise installation fail
With syntax :
jdbc:sqlserver://;serverName=D001SQL01.contoso.net;port=1433;databaseName=D001_VMware_SSO;integratedSecurity=true;encrypt=truetrustservercertificate=true
or
jdbc:sqlserver://;serverName=D001SQL01.contoso.net;port=1433; databaseName=D001_VMware_SSO;integratedSecurity=true; encrypt=true;truststore=C:\Users\SVC-VCTR02-001\keystore.jks;truststorepassword=testpassword
Installation fail :
- integratedSecurity=true; need to be to false
With syntax :
jdbc:sqlserver://;serverName=D001SQL01.contoso.net;port=1433;databaseName=D001_VMware_SSO;integratedSecurity=false;encrypt=truetrustservercertificate=true
or
jdbc:sqlserver://;serverName=D001SQL01.contoso.net;port=1433; databaseName=D001_VMware_SSO;integratedSecurity=false;encrypt=true;truststore=C:\Users\SVC-VCTR02-001\keystore.jks;truststorepassword=testpassword
Installation completes successfully, but the lookupservice does not work, error 404
After some research only the lookupservice does not like the syntax (why?)
We needed to modify the syntax like this :
jdbc:sqlserver://D001SQL01.contoso.net:1433;databaseName=D001_VMware_SSO;integratedSecurity=false;encrypt=true;truststore=C:\Users\SVC-VCTR02-001\keystore.jks;truststorepassword=testpassword
And all works fine
Thank you very much Derek for your answer. I think we will finally use Windows vCenter. I have another doubt about the new SSO component. We have two sites (a cluster with 2 ESX servers in site one and another ESX server in site two).
ReplyDeleteI don't know what would be the best choice:
Install basic vCenter Single Sign On in each site.
Install One primary node for a new vCenter Single Sign On in each site.
Install One primary node in site one and join an existing vCenter SSO in site two.
Thanks
Hi,
ReplyDeleteAfter several tests : (2 server Windows 2008 R2 SP1 + SQL Server 2008 R2 SP1 CU11 + named instance)
On SQL Server we need to set "Force Encryption" to "no" otherwise installation fail
With syntax :
jdbc:sqlserver://;serverName=D001SQL01.contoso.net;port=1433;databaseName=D001_VMware_SSO;integratedSecurity=true;encrypt=truetrustservercertificate=true
or
jdbc:sqlserver://;serverName=D001SQL01.contoso.net;port=1433; databaseName=D001_VMware_SSO;integratedSecurity=true; encrypt=true;truststore=C:\Users\SVC-VCTR02-001\keystore.jks;truststorepassword=testpassword
Installation fail :
- integratedSecurity=true; need to be to false
With syntax :
jdbc:sqlserver://;serverName=D001SQL01.contoso.net;port=1433;databaseName=D001_VMware_SSO;integratedSecurity=false;encrypt=truetrustservercertificate=true
or
jdbc:sqlserver://;serverName=D001SQL01.contoso.net;port=1433; databaseName=D001_VMware_SSO;integratedSecurity=false;encrypt=true;truststore=C:\Users\SVC-VCTR02-001\keystore.jks;truststorepassword=testpassword
Installation completes successfully, but the lookupservice does not work, error 404
After some research only the lookupservice does not like the syntax (why?)
We needed to modify the syntax like this :
jdbc:sqlserver://D001SQL01.contoso.net:1433;databaseName=D001_VMware_SSO;integratedSecurity=false;encrypt=true;truststore=C:\Users\SVC-VCTR02-001\keystore.jks;truststorepassword=testpassword
And all works fine
This series saved me from blowing my brains out trying to do these certs.
ReplyDelete@Eddie: Glad I could help!
DeleteHi,
ReplyDeleteI'm getting an error saying "Database Connection Error".
What could be the possible solutions.
Hi,
ReplyDeleteI'm getting an error at step 5 and this is the log file:
[2013-03-11 00:37:17,927] INFO 0[main] - com.vmware.vim.installer.core.logging.CoreLoggerImpl.info(?:?) - Validate database connection
[2013-03-11 00:37:17,930] INFO 3[main] - com.vmware.vim.installer.core.logging.CoreLoggerImpl.info(?:?) - DB information jdbcUrl:jdbc:sqlserver://;serverName=D001SQL01.contoso.net;port=1433;databaseName=D001_VMware_SSO;encrypt=true;trustservercertificate=true type: Mssql
[2013-03-11 00:37:17,931] INFO 4[main] - com.vmware.vim.installer.core.logging.CoreLoggerImpl.info(?:?) - Initialize values of user DBA user SSO_DBA , other user SSO_User
[2013-03-11 00:37:17,932] INFO 5[main] - com.vmware.vim.installer.core.logging.CoreLoggerImpl.info(?:?) - DB information jdbcUrl:jdbc:sqlserver://;serverName=D001SQL01.contoso.net;port=1433;databaseName=D001_VMware_SSO;encrypt=true;trustservercertificate=true type: Mssql userName:SSO_DBA
[2013-03-11 00:37:47,328]ERROR 29401[main] - com.vmware.vim.installer.core.logging.CoreLoggerImpl.error(?:?) - Failed to established connection :com.microsoft.sqlserver.jdbc.SQLServerException: The TCP/IP connection to the host D001SQL01.contoso.net, port 1433 has failed. Error: "null. Verify the connection properties, check that an instance of SQL Server is running on the host and accepting TCP/IP connections at the port, and that no firewall is blocking TCP connections to the port.".
[2013-03-11 00:37:47,329] INFO 29402[main] - com.vmware.vim.installer.core.logging.CoreLoggerImpl.info(?:?) - could not close JDBC connection
Thanks for all the work you have put into this series, it has been a great help!
ReplyDeleteI have successfully installed my SSO using a CA and SubCA in the keystore using the below string and settings and Force encryption set to no.
I followed Derek's guide until Step 5 then did the below
Keystore:
After importing the root CA I simply used the keytool command to import the intermediate (SubCA)
SQL Side:
Force Encryption set to NO, certificate still specified
RSA_USER and RSA_DBA given the sysadmin role at the SQL server level(can remove later)
JDBC String:
jdbc:sqlserver://;serverName=dbserver;port=1433;databaseName=VMware_SSO;integratedSecurity=false;encrypt=true;truststore=C:\\ProgramData\\VMware\\SSOSQL\\keystore.jks;truststorepassword=testpassword;
I have found that if I use quotation marks " " when specifying the truststore path (my path originally had spaces in the folder name) you will get the Cannot connect to Database error (vm-sso-javalib.log shows either cannot find the database or it can't drop RSA_USER). I circumvented this error for troubleshooting purposes by starting the installer and editing the DropUsers sql query in the temp install files location under /ssojavalib/rsaIMSLiteMSSQLDropUsers.sql and removing any drop commands but found it failed when configuring the lookup service. (vm_vim_ls.log shows a TrustAnchor error which basically means it cant open or find the keystore.jks)
So basically, by removing the quotation marks " " from the keystore path I got everything installed and using my CA chain without issue.
Just a note, After installing successfully, the SSO service will start if you enable Force Encryption but the lookup service will fail so leave it off. (ssoinstallpath/ssoserver/logs/lookupserver.log)
Hi,
Deletehow exactly did you import the certificate of the SubCA? Did you just use the same command as for the root CA (with changed filename and alias of course) or did you change anything else?
I can install SSO succesfully using the trustservercertificate parameter but not when using the keystore... I end up in 20010.Failed to configure LookupService error at the end if I use my keystore. So I suspicious there is something wrong with it.
Regarding my last (not yet approved) post I can say that I found the problem:
DeleteThe double backslashes were needed in the truststore path :)
It worked for me! :)
DeleteThanks for this comprehensive tutorial. I have a couple of questions. Presently, I was recently employed by a new company. I fell in on a vCenter Server 4.0.0 instance, and was entrusted with deploying 5.1.
ReplyDeleteThe vCenter 4.0.0 instance is running on perfectly good hardware. However, the more I read, the more I am realizing that an "in-place" upgrade is out of the question.
My plan is as follows:
1. Stand up a temporary "all-in-one" vCenter 5.1 instance on borrowed hardware from another department.
2. Move the ESXi hosts from vCenter 4.0.0 instance to the vCenter 5.1 instance.
3. Perform a fresh install of vCenter 5.1 on the hardware that is hosting the vCenter 4.0.0 instance.
4. Upon successful installation of vCenter 5.1, move the ESXi hosts back to the original/upgraded vCenter.
Questions:
Since the initial vCenter 5.1 deployment will be temporary, which SSO deployment and node types should I choose?
The department want its hardware returned. How do I retire the temporary vCenter 5.1 instance and its SSO service?
@Ruf: Have you considered a virtual vCenter? Very popular option these days..not many down sides either if properly planned. You plan would work, but will require VM down time. You didn't state how many hosts/VMs you have. If it's a tiny environment then it's doable. If you are talking about a large cluster, then probably not ideal. If you went the VM route you'd only need to migrate once.
DeleteIf you do the temp route, then it doesn't matter which SSO mode you use. After all VMs/hosts are migrated to the new vCenter you can simply remove the server from the domain, and if you use an external SQL DB, delete the DB. It's not like Exchange that leaves lingering AD objects.
Yep, I did consider a virtual vCenter. But I thought we didn't have hardware for it, because I prefer to have something like that on a HA cluster. However, I just learned we have a couple of idle R720 lying idle; hence, I will go with a virtual vCenter once I get the correct PERC controllers (vSphere does not see my RAID array).
ReplyDeleteWith a virtual vCenter, I can simply move it from one host to another.
Our virtual environment is small-- 42 hosts and 732 virtual machines.
The vCenter server will have 12 GBs of RAM and host the database (SQL Server 2008 R2 Standard) as well. I hear that both are RAM intensive applications.
Error 29102: An invalid argument was provided
ReplyDeleteBecause of special characters in Domain User password.