Let's get started!
1. If you wish to save yourself some headache, you can pre-populate your trusted SSL certificates to the Inventory Service SSL directory, so that upon installation it will automatically use your new certificate without any further work. I have a script in this blog post which automates the certificate pre-staging process for nearly all services, including the inventory service. However, if you don't want to use that script you can do the following:
From your D:\Certs\Inventory directory copy the rui.key, rui.crt and rui.pfx files to:
C:\ProgramData\VMware\Infrastructure\Inventory Service\ssl
2. Launch the vSphere 5.1 Installer and select vCenter Inventory Service from the main menu.
3. Select your language, review all of the patents, thoroughly read the EULA, then select the default installation directory.
4. Verify the FQDN of the local system is shown correctly.
5. Accept all of the default port numbers, then choose the inventory size that best matches your environment.
6. Since I'm installing the inventory service on the same VM as the lookup service, I don't need to change the URL. Enter the SSO master password that you used during the SSO installation. The default administrator name is populated, so I didn't need to change that.
7. During one of my installations I was presented with a Certificate installation prompt for an RSA Identity and Access Toolkit root CA. I accepted the certificate then kicked back for a few minutes and waited for the installer to complete.
Congratulations the inventory service is now installed. If you pre-populated the SSL certificates, I would suggest you open the Inventory Service URL (HTTPS://YourServer.FQDN:10443) and look at the SSL certificate in your browser. You can ignore the HTTP Status 400 error, as we didn't send any valid data to the inventory service. Make sure the SSL certificate is your trusted cert, not the self-signed VMware certificate.
You can skip to Part 6 if you pre-populated the SSL certificates, or want to use the self-signed certificates. To install your trusted SSL certificates proceed to Part 5.
Hi,
ReplyDeletei have installed SSO in high availability mode (on two virtual machines not running either inventory service or vCenter Server) and i'm using the self generated certificates.
During the installation of inventory service and vCenterServer i pointed to the LB FQDN and accepted the certificate from one of the SSO installations. I need to accept or add the certificate from the other SSO instance as well to the inventory and vCenter Server. D
o you know how to perform this?
The VMware KB articles http://kb.vmware.com/kb/2033588 and http://kb.vmware.com/kb/2034157 has been removed from the VMware web site.
thanks
/Magnus
Magnus, no, I also noticed that the article was pulled over the weekend when I was looking up some other SSO errors. Unfortunately at this time the SSO service seems fairly fragile and there's not much good documentation around it. So I think we are all in the same boat at this time.
ReplyDeleteJust as small typo: The URL to verify if the certificate is working listens to port 10443, not 10433 as stated in your article.
ReplyDeleteA small contribution to your enormous help! So far, so good, both SSO and IS are serving using SSL, now on to step 7... thanks mate!
Whoopsie...yes a typo! Thanks...updated.
DeleteHi Derek,
ReplyDeleteperfect blog post. That help me a lot while configuring SSO HA. But i wan´t also to build a HA Inventory. During the vCenter installation i have to enter the Inventory Service URL. Do you know if it is possible to create something like a inventory ha service url? Similar to the HA SSO URL´s?
Frank
Hi Derek,
ReplyDeleteFollowed your steps and was doing fine till this point. I prestaged my certs for the inventory service, however upon checking it still ended up showing using the default self signed cert. During install I saw the portion to install certificates and saw that the cert was actually the one issued and pre staged, now I am stuck. Been at this for 3 days now. Btw what's the typical process say the certs have expired (2 yrs, etc)? Is there any impact on vmware services if we stick to using self signed certs aside from getting all the warning prompts all the time? Thanks.
Ron
Hi Derek and others,
ReplyDeleteI'm stuck at step 6, I complete the information and can't click next haha, it's like nothings happens, even the back button and the cancel button stop working at this place. Does this happened to anyone? Setup is Windows 2012 for Inventory Services, in a dedicated VM.
@Ro: Windows Server 2012 is NOT supported for any vCenter services. I would strongly suggest you use Server 2008 R2, which is supported.
DeleteHere is my log when I run step 6:
ReplyDelete[2013-02-22 12:23:31,182 main DEBUG com.vmware.vim.install.impl.RegistrationProviderImpl] Establishing socket connection to srv-vcsso-01.xxx.yyy/172.18.2.51:7444. Timeout is 60000
[2013-02-22 12:23:31,213 main DEBUG com.vmware.vim.install.impl.RegistrationProviderImpl] Creating client for SSO Admin on address: https://srv-vcsso-01.xxx.yyy:7444/sso-adminserver/sdk
[2013-02-22 12:23:33,167 main DEBUG com.vmware.vim.install.cli.commands.ValidateUsernameCommand] No solution user found with name: InventoryService_2013.02.22_121333
[2013-02-22 12:23:33,229 main DEBUG com.vmware.vim.install.cli.commands.ValidateUsernameCommand] No local user found with name: InventoryService_2013.02.22_121333
[2013-02-22 12:23:33,260 main INFO com.vmware.vim.install.cli.commands.ValidateUsernameCommand] No local user with name 'InventoryService_2013.02.22_121333' or subject DN 'CN=srv-vcis-01.xxx.yyy,OU=vCenterInventoryService,O=bla bla bla,L=bla bla,ST=city,C=xx' is registered
[2013-02-22 12:23:33,260 main INFO com.vmware.vim.install.cli.RegTool] Return code is: Success
And the screen remains there.
I got it ! Seeing the other VMware logs files at %temp% I saw that "C:\ProgramData\VMware\SSL" was missing the file named with the hash of Root64.cer at that location ( I only had it on SSO VM ) so I copied it to here too. I think It should be te same case for later setting up vCenter VM too.
ReplyDelete@Ro: I get a similar issue for my vCenter (Inventory Service installs fine) when I use AD signed certificates - it sticks at the screen asking for the SSO credentials. I've checked both the SSO and the IS certs using the web sites and they appear to be OK. It works fine when I use the VMware provided certificates so must be something to do with the ones I've created
ReplyDeleteCraig, are you installing via the simple install method or via the separated installers? because in the later maybe you are missing the hashed Root64.cer file at "C:\ProgramData\VMware\SSL"?
ReplyDeleteHi,
ReplyDeleteI have been following the install process to the letter but seem to have hit a brick wall in this part. When installing the Inventory Service the install hangs when I press next on the Single Sign On Information page. Any ideas or a clue of what to investigate?
Thanks in advance.
I was able to get the installer to finish by opening Task Manager and killing all of the OpenSSL.exe instances.
ReplyDeleteThanks for this hint! Without this would have been my next headache :D
Delete