--
In Part 7 of this series we installed vCenter Server 5.1.0b. Now that vCenter Server installed, we need to proceed to getting the vSphere Web Client installed and configured. If you want to start back at part one of this vCenter 5.1 install series, you can find it here.
The web client has come a long ways since vCenter 5.0. It is now the primary means to manage your vSphere 5.x servers and vCenter 5.x instances (does not manage vSphere 4.x or 3.x). In fact, nearly all new vSphere 5.1 features are ONLY exposed through the web client, such as VM hardware version 9 and new dVS features.
The Windows C# vSphere client is a dodo bird in the making, and will die off in vSphere v.Next. However, the web client requires all new plug-ins (such as those from server/storage vendors), and VMware did not migrate VUM to the vSphere web client. So to manage/configure/use VUM you still need to use the traditional C# vSphere client. Vendors such as HP and Cisco will release updated plug-ins later in 2012.
This installation process is fairly easy and quick, so let's get started!
1. If you wish to save yourself some headache, you can pre-stage your trusted SSL certificate to the Web Client SSL directory, so that upon installation it will automatically use your new certificate without any further work. If you used my pre-stage script from earlier in this series, you are already good to go. If you are doing this manually, then from your D:\Certs\WebClient directory copy the rui.key, rui.crt and rui.pfx files to:
C:\ProgramData\VMware\vSphere web client\ssl
If you have already installed the Web Client, or wish to manually replace the certificates you can check out Part 14.
2. Start the vSphere Web Client installation wizard from the main menu.
3. Click through the wizard until you get to the SSO logon screen. Enter the credentials you created during the SSO installation process.
4. Wait for the installation process to complete. The services may take a few minutes to fully start, so I'd wait a little bit after the install completes to move on to the next step.
5. To administer vCenter locally via the web client you need Adobe Flash. Yes, one of the most vulnerability ridden pieces of software needs to be installed on your server (for local access). Install the latest version of Adobe flash.
6. If you have any vCenter 5.0 (not 5.1) instances that you want the Web Client to manage, they require manual registration with the web client. The vCenter 5.1 instance you just installed will automatically be discovered and requires NO further configuration. If you don't need to register any vCenter 5.0 instances, skip to step 7.
A. Launch the vSphere Web Client Administration tool.
B. Acknowledge the SSL error, then you should be presented with a web page showing a warning that no vCenter 5.0 systems registered. Click on Register vCenter Server.
C. Enter the FQDN of the vCenter 5.0 server as shown below in the first field (e.g. D001VCTR01.contoso.net). If during the registration process you get a SSL certificate warning just accept it. For the vSphere web client server name enter the FQDN of your vCenter 5.1 server (assuming the web client is installed on your vCenter 5.1 server).
7. Launch the VMware vSphere Web Client from the start menu but DO NOT login. If you look at the bottom left of the screen you can download the Client Integration Plug-in. I would recommend you download and install the client, so you can enable features such as Windows session credentials to login to the web client. Unfortunately the IE plug-in won't work if your browser uses the more secure Protected Mode. So if you want increased security, don't bother with the plug-in.
Also, the Web Browser shortcut in the Start menu will cause a SSL validation problem since it uses "Localhost" instead of the FQDN. Once IE opens, modify the URL to use the FQDN then bookmark the page and forget about launching the web client from the start menu.
8. Once the plug-in is installed you can now use your Windows session credentials to login. Do NOT login as the SSO account if you want to see your vCenter 5.1 servers. You must login with an account that is a member of the vCenter admin group. Validate that your vCenter 5.1 server is listed.
Update SSO Keystore
1. Login to the Web Client using the admin@system-domain account and your master password.
2. Go to Administration -> Sign-On and Discovery -> Configuration. Click on the STS Certificate tab.
3. Click on the Edit button then you need to navigate to the directory below and select the root-trust.jks file.
C:\Program Files\VMware\Infrastructure\SSOServer\Security
4. Enter the keystore password "testpassword". You should now see at least two entries in your keystore (more if you have intermediary CAs.)
5. Select the chain alias (rui) then click OK. Re-enter the password "testpassword".
6. Reboot the server, so that all services recognize the new certificate chain.
7. After the server reboots, and you wait a few minutes for all the services to start up, log back into the web client and review the certificates listed under the STS Certificate tab. You should now see two chains. One chain has an issuer of RSA Identity (the self-signed certs) and the other chain should reflect your CA infrastructure.
You can now proceed to Part 9, where I show you a couple of SSO configuration tweaks most people will want to make.
Derek, did you have any problems accessing the Log Browser in the web client? Seems to be related to the certs. I saw Terrafirma mention it http://communities.vmware.com/message/2117809#2117809 I havent quite found a working solution yet.
ReplyDeleteTim,
DeleteTerrafirm has sent me more details on getting the Log Browser to work. This weekend I'm confirm the fix and publish a new part to the series. It's harder than you think to get that piece working.
Derek, did you at any point receive any warnings from the web client that it failed to verify the vCenter SSL certificate? After I setup vCenter, I went right into the Web Client setup without verifying that the certs were working correctly on the vCenter server. When I first logged into the Web Client, I received the referenced error. I tried signing into vCenter using the full client, and I received a certificate warning. Upon looking at the details of the cert, I realized it was still giving out the default cert. I did some digging and realized I had not properly replaced the vCenter cert. So, I uninstalled/reinstalled vCenter (pre-populating the certs) and then reinstalled the Web Client, but I am still receiving the same error in the Web Client (vCenter is now giving out the correct certs and does not warn about being untrusted). Would you have any ideas as to what I may have missed or need to change? I have pretty much followed your guides to the letter, which BTW are awesome, except that I have all the parts installed on separate VMs. Thanks for any help you can provide and keep up the great and detailed work!
ReplyDeleteHi Derek, having problems on starting VMware vSphere Web Client, I was following your tutorial, plus the vmware documenthttp://www.vmware.com/files/pdf/techpaper/vsp_51_vcserver_esxi_certificates.pdf, but the document is terrible, mentioning folders on windows 2008 that not exist. I get the follwing error:The VMware vSphere Web Client service terminated with service-specific error Incorrect function.. (event ID: 7024), I already try this fix (http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2012473) but with no success, any ideias? thanks in advance, Miguel
ReplyDeleteFor me this was caused by not having enough memory for the VM hosting the Web service. Increase memory and try to start it again. Came right up for me.
DeletePedro, I haven't seen that error so can't really offer any advice on that problem.
ReplyDeleteHi Derek, thank you for the great Tutorial :). I have problem with Web client ... I can't log-in. The message says:
ReplyDeleteFailed to connect to VMware Lookup Service https://myVCServer:7444/lookupservice/sdk - SSL certificate verification failed.
(image available here)
http://imageshack.us/a/img40/3387/certificateverification.jpg
and here
http://imageshack.us/a/img836/7170/404onlookupservicelink.jpg
- I have created and validated certificates
- I have placed them in proper directories
Do I have to install them somehow?
Also in the middle of installation I have run out of the space on that VM and had to expand it. That machine now has different IP now. Is that maybe cause of the problem?
Please help.
Thank you so much!
Dejan, I've seen that error before. I caused that issue when I deleted the SSO SSL certificates because I put them in a temp location. As it turns out the SSO service needs continuous access to its certificates. The way I fixed that error was a complete re-install. Due to so many re-installs, I can get the entire vCenter 5.1 stack installed in about 60 minutes following my guide. Changing the IP may cause issues too..not sure about that.
DeleteHi Dejan and Derek,
Deletei had the same error. Following fixed my problem:
C:\ProgramData\VMware\vSphere web client\registration_hooks\client-repoint.bat
Run this batch in an elevated cmd window and you are back in the game.
Regards,
Juergen
Derek, thanks for quick reply :)! When I put the certificate in for example "C:\ProgramData\VMware\SingleSignOn\SSL" do I have to install it... or just to leave it there is enough?
ReplyDeleteThanks!
You have to follow the tedious installation instructions for the SSO certificates.
DeleteHi Derek,
ReplyDeleteI have installed two vCenter servers and registered it with the single lookup service.
But when I try to logon using the SSO admin user to the vSphere web client, I get the following error:
Failed to verify the SSL certificate for one or more vCenter Server systems:
https://:443/sdk
Check the vSphere Web Client Administration tool and make sure that the SSL certificate is installed.
These two vCenters are part of the same AD, but only one vCenter is being shown in the web client.
Note that I have not installed any SSL certificates, I wanted to use the default one only.
How to resolve this error?
Hi Derek, I have finally got to the point where I was able to install the Web Client and log in into it .... Woo Hoo !!:))
ReplyDeleteNow when I log in I get the message
Could not connect to one or more vCenter Server systems:
https://myserver:443/sdk
So you know what system is that and maybe........... what I can do to fix it? :))
Thanks!!
Derek when I log in into the Web Client I don't see my VCenter server listed. Do I have to register it somehow??
ReplyDeleteThanks.
Dejan
The vCenter 5.1 instance you install will auto-register with the Web Client. However, you won't see the vCenter listed if you login with the SSO admin account. You need to login with a regular vCenter admin account. In my case I have an AD group for vCenter admins, which is separate from the SSO admins.
ReplyDeleteHi Derek, I have assigned some users to proper groups and now I can see the VCenter server! Thanks again for your help.
ReplyDeleteYou rock man!
Dejan
Hi Derek,
ReplyDeleteI have the same issue as Dejan had but I have logged in using an AD admin account (permissions have been set) and I still cant see my vCenter Server - I get the same error:
Could not connect to one or more vCenter Server systems:
https://myserver:443/sdk
Any help is appreciated.
Ajay, you need to create "AD group for vCenter admins, which is separate from the SSO admins." as Derek said ...and assign some user to that group and then log-in into VCenter Web Client and then you shouldn't see that error.
ReplyDeleteGood Luck!
Hi Dejan,
ReplyDeleteI have already created a AD group and assigned it to the Administrators group in the web console (logging in with the admin@system-domain account). Then logged out and back in with a AD account.
This doesnt resolve it for me
Thanks
Just to make sure....
ReplyDeleteAre you sure that you added that AD user to _Administrators_ group in SSO users and groups section?
Hi,
ReplyDeleteI am planning to separate the Web service Client from the vCenter Server (recommended by vmware due to our environment size)
For those who have implemented this I wanted to ask if I need a Web service Client per vCenter Server or there is only need one for all the vCenters although I’m leaning towards having one per vCenter server
Regards,
Hooman
FYI, I had this error too:
ReplyDeleteCould not connect to one or more vCenter Server systems:
https://myserver:443/sdk
It was because I did not use the FQDN to the vCenter Server when installing vCenter and it prompts for the service account. It needs to be the FQDN to the server and not the domain where the serviec account resides. Why these are on the same screen with no explanation seems odd. Anyway, had to re-install vCenter, leave the FQDN at the suggested server.domain.com setting, and then Web Client connected first time with no issues.
Hi Derek,
ReplyDeleteI want to install the vsphere web client on a separate computer that isn't vcenter because i just do not want to install flash player on my vcenter server. Do i need to take the certs for the vsphere web client i created in openssl on the vcenter server and transfer them to the computer i want the web client on's "c:\programdata\VMware\vsphere web client\ssl" directory or do i only need to do that if intall the web client on the vcenter server itself?
THanks,
Mike
@anonymous: You can install the web client on the vCenter server and NOT install flash. However, you will need to access the web client from another computer that does have Flash player.
Deletetnx for detailed steps, only strange thin gis that when i want to look into the root-trust.jks file, i fill in the password "testpassword" and it keeps coming back with fill in pw popup. Itreid everything i could think off, any idea?
ReplyDeleteI get the same thing. Any word back?
DeleteI am also getting this. When I pick the root-trust.jks in my "working folder" instead of the install location, it works fine.
DeleteI was doing so good with this blog until I ran into the "Update SSO Keystore". I used the scripts to create the Certs and keystores back on Part 2 but when I enter the password of testpassword to import the root-trust.jks, it keeps prompting for a password and doesn't take the testpassword as used by the script. Do I need to recreate the Keystore? Will that break anything?
ReplyDeleteHi guys,
ReplyDeleteI ran into the same problem with the password popup to import the root-trust.jks. This last section requires you to select the root-trust.jks from the following location: C:\Program Files\VMware\Infrastructure\SSOServer\Security. However in the previous steps you only copy and rename the updated root-trust.jks to D:\certs\sso\server-identity.jks (also stated in the official vmware documentation). To resolve this issue I just selected the root-trust.jks from the d:\certs\sso directory which has been set with "testpassword"
Kind Regards,
Pieter Stevens
I was just having this issue today. This is my fourth vCenter install following this guide and I haven't had this issue until this install.
DeleteThis fourth install I used a lot of scripts (to see if the scripting would work) and I ran into this issue.
I copied my root-trust.jks into the C:\Program Files\Vmware\Infrastructure\SSOServer\Security folder, renamed the original root-trust.jks (which was also 1KB in file size) to root-trust.jks.old, and then added my root-trust.jks file from the \Security folder (5KB in size).
Rebooted and the certs are present.
I dont know if is usefull, but after setting up correct path of cert folde and others service(s) folder, all the thing goes on but you have to respect a little thing, the name of Root64.cert MUST BE with first letter UP and on folder c:\programdata\VMware\SSL there MUST BE present only ca_certficates.crt that is a copy of Root64.cer and a filename with name of hashing obtained with opennsl respect the use of has_old if you use last openssl distribution, with 0 ( ZERO ) extension
DeleteHi Deerek and others Guy, i found a little trick.
ReplyDeleteAfter ending my lab with all the things up and running, i discover that my fresh installation cant contact vcenter , googoling i found a mistake.
You must set logon batch job rigth on the user on run vpxd service on local policies of the machine which vcenter run