Saturday, October 6, 2012

VMware vCenter 5.1 SSL Pre-Staging Script

UPDATE 1/27/2013: I made a minor adjustment to the script to copy the Root64.cer file into the SSO directory, per updated VMware KB articles.

UPDATE 11/8/2012: The "ssl" directory for the web client may need to be in all lower case to avoid SSL certificate replacement issues, so I've change the case in the script below.
---

Given the complexity and bugs with replacing the SSL certificates in vSphere 5.1, the method which seems to work pretty well is pre-staging the trusted certificates. In Part 2 of my vSphere 5.1 installation series, I show how to create the required SSL certificates. To make the installation a bit faster and less error prone, I wrote a super simple batch file that creates the required SSL directories and copies the certificates from Part 2 to the proper directories. You can then install the Inventory Service, vCenter, Web Client, and VUM with minimal fuss.

The batch file assumes the directory structure that I outlined in Part 2 is in place. Noteworthy is that the SSO service does not have a "default" directory for the SSL certificates, unlike the rest of the services. So I created one (see the first line in the batch file), which protects the SSO SSL certificates from getting messed with since configuration files point to their location. Thus using a "temp" location for the SSO SSL certificates is a bad idea, and will result in a broken install if/when those certificates are changed or deleted.

You can run the batch file after you complete Part 2, and before you proceed to any further sections. The SSO service still needs manual configuration for trusted SSL certs, but the rest of the services will automatically use the new certs.

After the batch file runs, you should see the rui.pfx, rui.key and rui.crt files in each of the SSL directories. You can proceed to Part 3 after you run the batch file.

--
mkdir c:\ProgramData\VMware\SingleSignOn\SSL

robocopy D:\Certs\SSO\ c:\ProgramData\VMware\SingleSignOn\SSL\ /XF rui.csr sso.cfg
copy D:\certs\Root64.cer C:\ProgramData\VMware\SingleSignOn\SSL\ 

mkdir "C:\ProgramData\VMware\Infrastructure\Inventory Service\ssl"

robocopy D:\Certs\Inventory\ "C:\ProgramData\VMware\Infrastructure\Inventory Service\ssl" /XF rui.csr inventory.cfg

mkdir "C:\ProgramData\VMware\VMware VirtualCenter\ssl"

robocopy D:\Certs\vCenter\ "C:\ProgramData\VMware\VMware VirtualCenter\ssl" /XF rui.csr vcenter.cfg

mkdir "C:\ProgramData\VMware\vSphere Web Client\ssl"

robocopy D:\Certs\WebClient\ "C:\ProgramData\VMware\vSphere web client\ssl" /XF rui.csr webclient.cfg

mkdir "C:\Program Files (x86)\VMware\Infrastructure\Update Manager\SSL"

robocopy D:\Certs\VUM\  "C:\Program Files (x86)\VMware\Infrastructure\Update Manager\SSL" /XF rui.csr vum.cfg
at

13 comments:

  1. Derek BannardNovember 10, 2012 at 3:22 PM

    Seems to be missing the " /XF rui.csr vum.cfg" from the Update Manager portion.

    Also the Log Browser SSL copy commands are missing.

    ReplyDelete
  2. NoneNovember 13, 2012 at 9:10 PM

    @Derek Thanks...added the /XF copy. I haven't tested pre-staged the Log Browser certs, so that's why those commands aren't listed.

    ReplyDelete
    Replies
    1. AnonymousNovember 30, 2012 at 9:10 AM

      Hi Derek

      First, many thanks for all these procedures - I wouldn't have got anywhere with installing vCenter 5.1 without them!

      I've done very limited testing (ie. I've done this once), but it appears you can pre-stage the Log Browser certs by copying the relevant rui.crt, rui.key and rui.pfx files into a new C:\Program Files\VMware\Infrastructure\vSphereWebClient\logbrowser\conf directory.

      Regards.

      Paul B

      Delete
    2. AnonymousDecember 1, 2012 at 12:42 AM

      Please disregard my November 30, 2012 9:10 AM post - I was completely wrong about the pre-staging of the Log Browser certs!

      Paul B

      Delete
  3. AnonymousNovember 18, 2012 at 2:48 PM

    Hi Derek,

    Do you know if you can pre-stage SSL certs for the other VMware products that use SSL, such as SRM, vCloud Director, Ops Manager?

    Cheers..... =)

    ReplyDelete
    Replies
    1. NoneNovember 20, 2012 at 6:03 PM

      @Anonymous: No I have not had time to figure out the SSL steps with those products.

      Delete
  4. AnonymousJanuary 16, 2013 at 9:14 AM

    Any further incite on whether you can pre-stage the LogBrowser?

    ReplyDelete
    Replies
    1. NoneJanuary 27, 2013 at 11:57 AM

      @anton: At this time I still have not tested pre-staging the LogBrowser.

      Delete
  5. UnknownFebruary 3, 2013 at 3:55 PM

    I looked on two different vCenter servers and cannot find a folder named "c:\ProgramData\VMware\SingleSignOn" on either system. Did I do something wrong twice during installation?

    ReplyDelete
    Replies
    1. NoneFebruary 3, 2013 at 5:39 PM

      @Jeff: Probably not. That directory is not created by the VMware installers. You must create that yourself.

      Delete
  6. AnonymousFebruary 6, 2013 at 7:43 AM

    First, thank you for all this great stuff!

    I have installed all the vSphere 5.1.0b products with default ssl certificates. Is it possible to change the ssl certs afterwards?

    ReplyDelete
    Replies
    1. NoneFebruary 10, 2013 at 9:42 AM

      @Anonymous: Absolutely it is, just significantly harder. My blog series has most of the instructions to do the post-install SSL replacement. What I don't have covered is the replacement of the actual vCenter server SSL certs (SSO, Inventory service, etc. ARE covered). VMware has a KB article for the vCenter service, but it's quite tedious.

      Delete
  7. monopohlApril 17, 2013 at 2:22 AM

    The script worked fine but before I had to do the following:

    Change the VUM in the UpdateManager path to UpdateManager (as it is in Part 1 od the install series).

    I had to create the VMware dir under "Program files (x86)" and grant the user I was currently logged on with (the vCenter service user) write permissions on this folder before the script were able to create the UpdateManager dir and copy the file.

    ReplyDelete