---
Note 1: If you get an installation problem with an error code of:
"Error 29107. The service or solution user is already registered. Check vm_ssoreg.log in system temporary folder for details."
Then you probably have a duplicate SSL certificate problem. Meaning, you may have pre-copied the SSO or inventory service SSL certificates to the vCenter SSL directory. Since each service requires a unique certificate with a unique OU attribute, the system thinks the service is already registered.
Or perhaps you had a failed installation and it rolled back, or you are performing some type of upgrade where old certificates were used for both the Inventory and vCenter service. I would clean out the vCenter SSL certificates then re-run the installation.
Note 2: If you get an installation problem with an error code of:
Error 26002. Setup failed to register VMware vCenter Server to VMware vCenter Inventory Service.
Then you probably are using the 5.1 GA version and manually replaced the Inventory service SSL certificates (vice using the pre-installation method). You should be using the 5.1.0a (or later) installer, as I no longer had the 26002 error message when manually replacing the Inventory service certificates.
---
If you wish to save yourself some headache, you can pre-populate your trusted SSL certificates to the vCenter Server SSL directory, so that upon installation it will automatically use your new certificate without any further work. Replacing the vCenter certificates post install is tedious at best, and thus pre-population is STRONGLY recommended.
At this time I have not published post-install vCenter certificate replacement instructions, but you can find a VMware KB article on it here. They are VERY tedious and error prone. If you've already used my pre-staging script, found here, then no need to repeat the copy process below.
From your D:\Certs\vCenter directory copy the rui.key, rui.crt and rui.pfx files to:
C:\ProgramData\VMware\VMware VirtualCenter\ssl
1. In Part 1 I created a service account that the SSO service used, and for the sake of simplicy, I'll use the same service account for the vCenter Server service. Login to your vCenter server as the service account. It should already have local admin rights on the vCenter server. Launch the vSphere 5.1 installer menu and select VMware vCenter Server and start the installation.
2. Select the appropriate language, read through all of the patents, EULA, and enter a license key if you have one.
3. On the Database Options screen you should select the second option then, if all went well, find your vCenter DSN from the drop-down menu.
4. Since we are using Windows authentication to the SQL server (more secure than SQL authentication) you can't ender a database username or password.
5. You will likely see this warning message about the SQL database in full recovery mode, and that it may consume a lot of disk space without regular backups. This is normal and do NOT be alarmed. You ARE doing regular SQL backups right?
6. If you are running the installation as the vCenter service account (which you should be), then the account name will be pre-populated and you need to enter the appropriate password.
7. We don't need to join an existing Linked mode group, so standalone is fine.
8. All of the default port numbers are fine, and for small environments we don't need to increase the number of available ephemeral ports. If you will be powering on more than 2,000 VMs, then check the box.
9. JVM memory is an important configuration parameter, so carefully choose the right value. It doesn't hurt to select a larger value, assuming you have adequate memory assigned to the vCenter VM.
10. New to vSphere 5.1 is the SSO service, so we need to input the master password used during the SSO installation process which I covered in part 1. The wizard will validate the password.
11. At this prompt you need to enter the group or user that will be recognized by the SSO service as the vCenter administrator. If you installed the SSO service in High Availability mode, then you will probably get an error "Wrong Input - either a command line argument is wrong...." if you try and use the "Administrators" group. So I would create an AD group that you want to use. Following my RBAC naming convention I specified the appropriate AD group. Use whatever group name you wish. The wizard will validate that it exists.
Note: If you get suck at this point in the installer, check out the reader feedback below. Ben Hicks and John have some great tips on possible solutions.
12. Next you should see the vCenter Inventory Service URL, which needs no modifications.
13. Change the installation path if you wish, but I left it the default value. Then click Install and wait for it to complete. Profile Driven install may take a loooong time to install...20 minutes or more. So be patient while the installer runs.
14. Per a VMware KB article you need to fix the ADAM SSL port registry type. To fix this issue navigate to:
HKLM\SYSTEM\CurrentControlSet\Services\ADAM_VMwareVCMSDS\Parameters
Delete the Port SSL key and recreate it as a 32-bit DWORD with a decimal value of 636. Note: Per reader feedback, if you are using Linked Mode, use a different port number (above 1025) for the Port SSL, otherwise there will be a conflict.
Assuming a successful installation, you can proceed to Part 8, where we install the vSphere Web Client.
Hi Derek,
ReplyDeleteI had all sorts of issues getting it installed with my own SSL certificates and found that in the end the only way was to have a different certificate for every service with different Common Names e.g. server-SSO also all the other details in the Distinguished Name section must be different on each cert.
Now I have everything working accept the web-client as it loads but with a blank screen even with the default cert. Think it does not like the custom certs on the other services. so working on this now.
Terafirm,
ReplyDeleteExcellent to know! I'm trying a fresh install as well, each with different certs from my 2008 R2 CA. I'll see how that goes!
Also you need to add all certs and CA certs into the trust store in ProgramData\VMware\SSL using the file name hash.0 hash.1 hash.2 etc.
ReplyDeleteThis can be found using openssl x509 -subject_hash_old -noout -in rui.crt on each cert.
Terafirma, yes now that you point that out, I found that in the VMware PKI Guide. I'll amend my post.thanks for catching that!
ReplyDeleteTerafirma: I've updated Part 3 with the trust store steps.
ReplyDeleteGot Web-Client going turned out to be just not waiting long enough for the service to start and compile its keystore. (me getting frustrated and impatient)
ReplyDeleteOnly annoying thing is Web-Client can only have its cert updated by putting it in the ProgramData\vSphere Web Client\SSL\ folder before install as the register-sso scripts that VMware reference don't actually exist!!
I must say VMware really dropped the ball on SSL certs this release bring on vCertManager from Michael Webster
All that is left now is Orchestrator.
Derek,
ReplyDeletethanks for your documnet. I try the best from your doc and it come to the vsphere server installation almost done the system come up the error 26002 setup fail to register VMware vCenter server to VMwar vCenter Inventory Service. I wonder you see this error before. need some help. Thank again!
Anonymous: Yes, I've run into the exact same problem and have an open case with VMware tech support. There is wide spread frustration in the community with trying to get SSL certs working. For now I'd skip the trusted SSL certificate generation and go with the vanilla install. As reliable solutions emerge I'll update my posts with better instructions.
ReplyDeleteAnonymous, you can work around the 26002 setup failure by skipping Part 5, replacing the Inventory service SSL certificate. You can replace the SSO certificate and the install will continue as one would expect. I'll keep researching the Inventory service SSL problem.
ReplyDeleteHow do I change the vCenter SSL certificates?
ReplyDeleteUsing custom SSL certificates in vCenter 5.1 is fucking pain.
Anonymous, I'm working on those instructions. They are covered in the VMware certificate replacement guide, but are quite painful. My first priority is get the inventory service fixed before trying to do anything else with SSL certs.
DeleteHi Derek, appreciate all your patience & time in writing these great posts! Just a quick question from my end: Our's is a small environment running with Vcenter 4.1, SQL 2005 express & Six ESX 4.1 hosts.
ReplyDeletePlanning to perform inplace upgrade of vCenter 4.1 to 5.1 using Simple Install Option & SQL 2008 R2 Express (bundled along with vCenter). Do you think it should be straight forward or any hiccups which I need to work on before proceeding..? Thanks for your time!
I haven't done in-place upgrades, and given the problems with 5.1, I would expect some hiccups. VMware is rumored to be releasing an update of some time this month to address the SSL problems. So personally I'd wait on the patch/update before upgrading. If your vCenter/SQL/Etc are on one VM, then just snapshot the VM and see how the upgrade goes. If it goes south, just unsnapshot.
Deleteon your step 11 how to have this AD account in SSO server before you can install the Vcenter server with this AD account?
ReplyDeleteIn step 11 the group I reference is not yet in the SSO server. All you need to do is create it prior to installing vCenter, and the installer will authorize it in the SSO service.
ReplyDeleteDerek, how do you log into the machine with service account as that account was supposed to be just for services and shouldn't be able to log-in? I can't make it work...
ReplyDeleteThanks.
A service account is no different from a regular user account in AD. The service account must have local admin rights on the vCenter server. So once you put the service account in the local admins group on the vCenter server, you should be able to login with no problem.
DeleteDerek
ReplyDeletei have added the administrator as a single user in step 11, and modified the _administrators_ group and added other AD accounts to it, but the users cannot login neither to the vSphere client nor to the web client.
how can i modify the users in the administrator (under SSO users and groups) role or create a new role with admin privileges and add the users to it.
please help and advice.
We had an issue with that the dialog in 11 above never shows during 5.0 to 5.1 upgrade. So we end up with no admin access to vCenter and noone can log in. Ever run into this? The dialog in 11 was shown in a test environment but not in production.
ReplyDeleteThank you for your extensive instructions on how to install the new vCenter server 5.1. They have been very helpfull to me.
ReplyDeleteSpecially after one of my production vCenter servers crashed last weekend. With the exact same symptoms as the test vCenter server that crashed after replacing the SSL certificates. An empty VPX_ACCESS table and a vCenter server service that would start and immediately stop. Even though I didn't touch the certificates, I just patched and rebooted it. I managed to fix it, by reinstalling the vCenter server service and changing the default admin group added and the default SSL port. Since the server allso had the SSL port value as a REG_SZ in the registry. In our case however, since it was (is) a server in linked mode, I had to change the port to 1025 instead of 636 as mentioned above in point 14. Because Linked mode has SSL port 636 in use for it's local instance (http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2031843)
Maybe you can add that to point 14, when you use linked mode you should change the SSL port to 1025 or above.
Thanks for the feedback! I updated step 14.
DeleteI got "The local OS identity source is not registered with the SSO installation" error in the end of configuration and i can't install it (vCenter Server). Any idea how i can fix it?
ReplyDeleteI had the same problem...then I changed the admin account on the vcenter install page from "administrators" to "administrators@domain.com" and it worked...seems like it was choking on the domain component of the user account.
Deletejim
Hi Derek,
ReplyDeleteI have reached to Part 7 (great tutorials btw) and got stack at the point where I am asked for vCenter Administrator recognized by vCenter SSO. I am not running it in AD ( I have standalone server). Made local group with users in it. However still getting error message "the user or group that you are trying to assign vcenter server administrative privileges is not exist" any suggestions?
Thanks in advance
Hi Derek,
ReplyDeleteGreat tutorial. I have a quick question. After finishing vcenter installation I couldn't start the service. I've found the following error message:
error 'Default'] [0] error:0906D06C:PEM routines:PEM_read_bio:no start line
error 'Default'] [1] error:0906D06C:PEM routines:PEM_read_bio:no start line
error 'Default'] [2] error:02001002:system library:fopen:No such file or directory
error 'Default'] [3] error:2006D080:BIO routines:BIO_new_file:no such file
error 'Default'] [4] error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib
error 'Default'] Failed to initialize the SSL context: SSL Exception: error:0906D06C:PEM routines:PEM_read_bio:no start line
Do you have any ideas?
@Mark: I would review the certificate files and ensure they have the proper start/end headers. Sounds like malformed certificates to me.
DeleteI had the exact same error and even opened a case with VMware, but I have managed to fix this myself.
DeleteFollowing every guide I could find they kept saying to use Openssl-Win32. I tried several times to create the certificates and it kept giving me this error.
I ended up humouring myself and installing OpenSSL-Win64 1.0.1c and low and behold, vCenter now happily accepts the pre-staged SSL Certificates.
Give that a try, might work for you.
I am still battling with the vSphere Web Client tho. I keep getting the yellow warning:
Failed to verify the SSL certificate for one or more vCenter Server systems:
https://(vcenterserver URL):443/sdk
Check the vSphere Web Client Administration tool and make sure that the SSL certificate is installed.
Still working on this one, hopefully VMware can offer me something. I followed KB2036505 but still no luck.
The whole thing that just annoys me is if VMware are pushing for everything to be web based they MUST provide an easier way to generate CSRs and import the signed certificates. It's just crazy in 2012 we are still fighting this stuff.
@Chris: Interesting! I used the 32-bit version and never had an issue. Glad 64-bit works for you.
DeleteHi,
ReplyDeleteI have prestaged the vCenter certificate and the installation works find.
But the Management Webserivces will not start. in the catalina.XXX-XX-XX.log I found the following lines:
Failed to initialize end point associated with ProtocolHandler ["http-bio-8443"]
java.io.IOException: DerInputStream.getLength(): lengthTag=127, too big.
at sun.security.util.DerInputStream.getLength(DerInputStream.java:544)
at sun.security.util.DerValue.init(DerValue.java:347)
at sun.security.util.DerValue.(DerValue.java:303)
some ideas?
Hi,
ReplyDeleteI found the Problem. I had an OpenSSL error, so the .pfx file was empty.
After recreating the pfx file the webservices started successfully.
Looking for some help here, running thru your install guides...WHICH ARE FANTASTIC BTW...but am running into some issue that hopfully someone can help me out on. Installing on a fresh, brand new environment...vCenter / SSO etc does not exist so no upgrade...just a straight forward install from scratch environment. Here are my issues.
ReplyDelete1. SSO - As some earlier in the replies stated: Getting the following error when running "rsautil manage-oc-administrators -a list" "Error: Bean (PrimaryCommandTarget) initialization failure java.io.IOException: Invalid keystore format" But no resolution or a fix
2. At the vCenter install. I am at the "vCenter Server administrator recongnized by vCenter Single Sign On" section, where it prompts me to enter a group name. I have tied everything local AD group / Global AD group / Local user account etc. But keep getting "The user or group that you are trying to assign vCenter Server administrative privileges to does not exist"...I am suspecting the "does not exist" means does not exist in SSO? Any help would be greatly appericated.
With regards to the "The user or group that you are trying to assign vCenter Server administrative privileges to does not exist"...error that I was getting. I read a post to try to use groupname@domain.com...and surprise surprise, that worked for me.
DeleteHi,
ReplyDeleteThank you for your post. It is really helpful. Keep it up1
Cheers
A lesson learned: I received the dreaded Error 26002 error during my first install even when using the newer version of the vCenter install media. In my case the issue seems to have been caused by having the Web Server Role installed on the server. I know you're not supposed to have IIS on the box but I had the default web site stopped and disabled so I assumed it wouldn't conflict. Apparently it conflicts anyway, because the only way I was able to successfully install vCenter was to remove the Web Server role completely from the server. It is not enough to just stop or disable it. Hopefully this helps someone else.
ReplyDeleteAbout Error 26002. I got it as well although I followed all instructions in your great posts.
ReplyDeleteAfter some hair polling it turns out that vCenter Server, unlike all other components, doesn't like certificates that have any text before the start certificte marker. If you sign your certificate requests using openssl ca like I do then by default openssl adds the text form of the certificate before the encoded form in the resulting rui.crt file.
To get around this either edit the certificate in notepad and remove all the text before the start certificte marker. Or better yet add the -notext switch to the openssl ca command when signing the request.
During the step 11 of the installation I have tried to use domain account, domain group, local group, local account but still I get the following error "The user or group that you are trying to assign vCenter Server administrative privileges to does not exist". Is there any way to resolve the issue. VM where I try to install vCenter on is a part of windows domain
ReplyDeleteI have just managed to resolved this issue. When trying to install vCenter server, I was getting the "does not exist error". I tried everything to resolve this with regards to formatting of names / local vs domain users and groups but to no avail. The solution was to install the web client before vCenter. Once you have the web client installed, you login as your admin@system-domain user and go to "Sign-on and discovery" and then configuration. You need to add an identity source that corresponds to your domain. Put in a domain controller server with the format of ldap://fqdn and enter the rest of the relevant settings.
Delete*note* There appears to be a bug that resets the base group dn to that of the base user dn. Double check this if it fails.
Test the connection and save.
If you want to test the lookup manually before re-running the install - you can run the following commands:
******
set JAVA_HOME=c:\program files\vmware\infrastructure\jre
cd "c:\Program Files\VMware\Infrastructure\Inventory Service\sso"
regtool checkPrincipalExists -d https://INVENTORYSERVER:7444/lookupservice/sdk -u admin@system-domain -p YOURPASS -P group@domain.com -g
*******
** The -g denotes a group - omit this if you want to lookup a user **
If this works, the installation should complete successfully.
Hope this helps.
-Ben
Great and great tuto...
ReplyDeleteI meet a problem to register vCenter Server Administrator group. I made a group (netgus\APP_VCTR_All_Administrators) and I receive a message as what It don't find my group in my Active Directory. I have lost a step may be, but I found on the Internet this article: http://www.vblog.ch/vcenter-upgrade-5-0-u1-to-5-1/
Have you a idea
I found the problem...
ReplyDeleteFirst, you should not use another language as English, even if VMware propose to you your language (french for me)
Second, when I installed SSO, I received one error as "Error 29155.Identity source discovery error". I had to install VMWare vSphere Web Client and added my AD identity source, but If your OS language is in french, you will receive some strange errors as : "illegal character in scheme name at index 0". If you use the english language, you'll have no problem.
I have not been able to secure the channel between my databases and my vCenter with JDBC. I tried some combinaisons, but nothing works. Is-It possible to configure after? I don't know.
Hi Derek, Thank you for your great Tutorial!
ReplyDeleteAs for the Error 26002: Setup failed to register VMware vCenter Server to VMware vCenter Inventory Service.
I got it also with Release 5.1a, the Solution was that the vCenter Certificate rui.crt must not contain any data before ---- Begin Certificate ----- and after ---- End Certificate -----.
Hi Derek! Thank you for your great Tutorial!
ReplyDeleteIt's very help me! I'm bed speak English, but I need help for VMware vSphere Profile-Driven Storage Service.
This service doesn't starting with error:
com.vmware.vim.binding.vim.fault.NoClientCertificate: Client connected without supplying a certificate.
Help me pleaese.
Hi,
ReplyDeleteDerek, just would like to say that this blog is amazing, it is very detailed and thorough.
Just wondering if anyone can shed some light here. I'm trying to upgrade from 5.0U1 to 5.1 on a different box.
I saw the below from the official vmware Doc:
"You can migrate an existing vCenter Server to a different machine during an upgrade to version 5.0, and then perform an in-place upgrade from version 5.0 to version 5.1. See the version 5.0 vSphere Upgrade documentation."
Has anyone tried a NON in-place upgrade to 5.1? If so, how did you manage to restore the 5.0 Database to 5.1? I believe this Derek's blog creates a new database for the vcenter instead using the existing database.
Thank you,
@anonymous: Yes my instructions are for a clean install. Given all of the problems with 5.1, personally I'd NEVER put it into large scale production. I'm waiting for the 2013 release..vSphere 6.0 or whatever they call it. 5.0 U1/U2 are perfectly stable.
DeleteHi,
ReplyDeleteThank a lot for this great article!
I realy could use some help here. When running the vCenter Servr install wizard I keep getting stuck at te "vCenter Inventory service information" window. Every time again I get the warning saying "Setup failed to validate VMware vCenter Inventory Service, error occured while talking...". I really have no clue what could be the reason. Any assistance would be highly appreciated. Running installer v5.01b BTW. Cheers, B.
@OP: This page should become page 8, and page 8 should become this page. The web client needs to be installed prior to the vCenter Server installation.
ReplyDeleteFor those of you stuck a step 11, user Ben Hicks' suggestion is the key. First, run his console commands and let it fail.
Next, close the vCenter server install, go to page 8 of this guide: http://derek858.blogspot.com/2012/09/vmware-vcenter-51-installation-part-8_22.html
and install the Web client.
Once installed, log into the web client user your "admin@System-Domain" account. The web address should be: https://localhost:9443/vsphere-client/ (use localhost as the name).
Click the administration tab on the left side of the screen.
Click on "Configuration" under Sign-On and Discovery.
Click the green plus sign in the top pane which should open "Add identity source"
For me, using Windows active directory, select "active directory".
Name: your FQDN (johndball.com in my case)
Primary server: ldap://fqdn
Secondary server: ldap://fqdn (of your second DC)
*I tried using ldaps (LDAP SSL) but was having a problem importing my AD server cert, so I just stuck with non-SSL LDAP authentication which worked
Base DN for users: dc=yourdomain,dc=yourTDL (in my case dc=johndball,dc=com)
Domain name: Your FQDN again (in my case johndball.com)
Domain alias: Your netbios name (in my case JOHNDBALL)
Base DN for groups: cn=users,dc=johndball,dc=com (I'm pulling groups out of my users container, not a special organization unit for groups)
Authentication type: Password
Username: yourdomain\someaccount
Password: self explanatory
Test the connection. If it fails, check your server settings.
Click ok.
Go to the bottom pane, move your domain to the top using the arrows, hit the disk icon to save settings (click through any warnings). At this point, you SHOULD be able to re-run Ben Hicks' command and succeed.
If not, go to SSO Users and Groups on the left
Click __Administrators__ and select the "man" icon with the plus sign. For identity source, your domain should appear in the drop down. In my case, I added a special group for VM admins called, you guessed it, VMwareAdmins. Add that to the box and hit "search".
Add your group to the account.
Log out and run Hicks' command again. It should work (it did in my case).
Restart the instructions on this page and the install should succeed (again, it worked in my case).
@John: I haven't seen documentation stating the Web Client should be installed before vCenter server. In KB 2021202 it states the install order should be 1. vCenter Single Sign on 2. Inventory Service 3. vCenter server. (doesn't list the rest of the services).
DeleteI do appreciate the lengthy troubleshooting and feedback.
I agree. I couldn't find anything in the VMware docs either but it fails this way (which is the recommended "VMware" way). I know it wasn't just my setup, as seen from the other comments, and on a deployment done by a friend of mine.
DeleteI'll tell ya this, if it wasn't for your instructions thus far, I'd be way out in left field. On to page 8!
VMware and Microsoft - Sister 800 pound gorillas.
Hi John / Derek,
DeleteThe install tip came direct from VMware tech support. I think the issue came about (in my case) from an incorrect reverse look-up on the VMs IP address. During the installation - it throws up an error about not being able to correctly resolve and that it may cause problems. My guess is that it uses the PTR record to locate the local domain name and from there a domain controller. If the look-up works correctly, this information is populated and the web client installation is not needed.
Either way, once this was all completed I had certificate problems when trying to export the SSO configuration (we have both an issuing and root CA that I think caused the problems). After trying for a couple of days to resolve I had to revert to 5.0 U2 - project timescales wait for no-man !!
Once again, excellent guide - thank-you for your time.
-Ben
Installer hang at step 10) until I copied Root64.cer file renamed to it hash with the added extension 0 (ie.: 97527d09.0) to the folder C:\ProgramData\VMware\SSL as it was required on SSO and InventoryService when they where installed on separated VMs.
ReplyDeleteHope it helps to anyone who is installing everything separately.
Derek,
ReplyDeleteI am looking for some advise concerning a 'sort of' upgrade.
I am installing 5.1 on a clean system using your instructions but I want to connect it to an existing 4.1 database. Parts 1-6 have worked beautifully so I want to continue along this path. When I install vCenter Server and connect to the existing db, an upgrade dialog is presented as expected. Once the upgrade starts, however, a SQL exception is thrown. Our environment is small; 6 hosts and about 50 VMs so I am wondering if I should continue to troubleshoot this problem or just create a clean database and re-add the hosts? Our 4.1 (upgraded from 4.0) did not have custom certs.
Thank you for the time that you put into this wonderful guide. It has probably saved me days of headaches so far.
Error 25003 Failed to create Repository
ReplyDelete=> deinstalled english SQL Client and installed the same then my OS/DB language Version (german)
=> Same Problem
=> Rebooted the vcenter Server and DB Server
=> Installation successful