May 19

vCenter Server 6.0 Availability Guide

vCenter Server 6.0 Availability Guide

vCenter Server has become a mission critical part of most virtual infrastructures. It can be a single point of failure if it is not designed for availability. vCenter Server 6 has many changes relating to vCenter Server and its components and careful consideration has to be made in the design of its architecture.

There are multiple solutions for high availability. Many of these options can be combined to provide different levels of availability. vSphere HA, FT, vCenter Watchdog services and in guest clustering solutions can be combined depending on customer requirements for availability.

The Platform Services Controller (PSC) serves many VMware solutions in addition to vCenter Server such as VROPS, View, etc. The PSC deployment modes have to be carefully evaluated based on unique customer requirements and architected appropriately as well.

The VMware vCenter Server 6.0 Availability Guide is a great resource for architecting a HA solution for vCenter Server. I hope you find it useful!
Posted on May 19, 2015 by Mohan Potheri

Rating: 5/5


Dec 02

ESXi and vCenter Server 5.5 Documentation – Password Requirements

Purpose

Password requirements differ for vCenter Server and for ESXi hosts.

vCenter Server Passwords

In vCenter Server, password requirements are dictated by vCenter Single Sign-On or by the configured identity source, which can be Active Directory, OpenLDAP, or the local operating system for the vCenter Single Sign-On server. See Edit the vCenter Single Sign-On Password Policy, or see the relevant Active Directory or OpenLDAP documentation.
ESXi Passwords

By default, ESXi enforces requirements for user passwords.

Your user password must meet the following length requirements:

    ■ Passwords containing characters from one or two character classes must be at least eight characters long.
    ■ Passwords containing characters from three character classes must be at least seven characters long.
    ■ Passwords containing characters from all four character classes must be at least six characters long.

When you create a password, include a mix of characters from four character classes: lowercase letters, uppercase letters, numbers, and special characters such as an underscore or dash.

The password cannot contain the words root, admin, or administrator in any form.

Note

An uppercase character that begins a password does not count toward the number of character classes used. A number that ends a password does not count toward the number of character classes used.

You can also use a passphrase, which is a phrase consisting of at least three words, each of which is 8 to 40 characters long.
Example: Creating Acceptable ESXi Passwords

The following password candidates meet the requirements of ESXi.

    ■ xQaTEhbU: Contains eight characters from two character classes.
    ■ xQaT3pb: Contains seven characters from three character classes.
    ■ xQaT3#: Contains six characters from four character classes.

The following password candidates do not meet the requirements of ESXi:

    ■ Xqat3hb: Begins with an uppercase character, reducing the effective number of character classes to two. Eight characters are required when you use only two character classes.
    ■ xQaTEh2: Ends with a number, reducing the effective number of character classes to two. Eight characters are required when you use only two character classes.

Rating: 5/5


May 06

Methods for installing vCenter Server 5.1 (2032885)

Purpose

This video discusses and demonstrates how to install VMware vSphere vCenter Server 5.1 using the Simple Install method.
In particular, this video tutorial shows how to perform a basic installation of the vCenter Single Sign On, Inventory Service, and vCenter Server components on a single host machine using the vCenter Server Simple Install option.

Before installing vCenter Server 5.1, vSphere 5.1 requires you to install vCenter Single Sign On and install the Inventory Service. You can install vCenter Single Sign On, Inventory Service, and vCenter Server all on a single host machine using the vCenter Server Simple Install option. This option is appropriate for small deployments.
Note: Installation sequences are shortened in the video for the sake of time. In reality, installations will take a little bit longer to complete.

  • For more information about upgrading to vCenter Server 5.1, see Installing vCenter Server 5.1 best practices (2021202).
  • Resolution

    Rating: 5/5


    May 06

    Upgrading to vCenter Server 5.1 best practices (2021193)

    Purpose

    This article provides information about upgrading to vCenter Server 5.1

    Notes:

    • This article assumes that you have read the vSphere Upgrade Guide. This guide contains definitive information. If there is a discrepancy between the guide and this article, assume that the guide is correct.
    • Because each environment is different, many upgrade decisions require knowledge and understanding beyond the scope of this article. For more detailed information about your installation, see the vSphere Upgrade Guide.
    • Review the VMware vSphere 5.1 Release Notes for known issues or special installation notes.

    Resolution

    Rating: 5/5

    vCenter Single Sign-On
    vSphere 5.1 introduces the vCenter Single Sign On service as part of the vCenter Server management infrastructure. This change affects vCenter Server installation, upgrading, and operation.

    Authentication by vCenter Single Sign On makes the VMware cloud infrastructure platform more secure by allowing the vSphere software components to communicate with each other through a secure token exchange mechanism, instead of requiring each component to authenticate a user separately with a directory service like Active Directory.

    When you upgrade to vCenter Server 5.1, the upgrade process installs vCenter Single Sign On first, then upgrades vCenter Server.

    For more information on the affects of vCenter Single Sign on vCenter Server installation and upgrades, see: Comparing behaviour of vCenter Single Sign On with earlier versions of vCenter Server (2032135).
    For information about configuring vCenter Single Sign On, see the vSphere Security Guide.

    Hardware Requirements for vCenter Server, vCenter Single Sign On, and Inventory Service

    The vCenter Server system can be a physical machine or virtual machine with access to a supported database. The vCenter Server system (vCenter Server, vCenter Single Sign On, and Inventory Service) must meet the following hardware requirements.

    Note these points before upgrading:

    • VMware supports in-place upgrades on 64-bit systems from vCenter Server 4.x and vCenter Server 5.0.x to vCenter Server 5.1.

    • vCenter Server 5.1 does not support directly migrating an existing vCenter Server to a new machine during an upgrade to 5.1.
      You can migrate an existing vCenter Server to a new machine during an upgrade to version 5.0, then perform an in-place upgrade from version 5.0 to version 5.1. See Upgrading to vCenter Server on a Different Machine in the vSphere Upgrade Guide.

    • vCenter Server 5.1 can manage ESX/ESXi 4.x and ESXi 5.0.x hosts in the same cluster with ESXi 5.1 hosts. vCenter Server 5.1 cannot manage ESX 2.x or 3.x hosts.

    • vSphere 5.1 introduces the vCenter Single Sign On service as part of the vCenter Server management infrastructure. For more information, see Comparing behaviour of vCenter Single Sign On with earlier versions of vCenter Server (2032135)

    • When you upgrade to vCenter Server 5.1, the upgrade process installs vCenter Single Sign On first, then upgrades vCenter Server. You must install or update these components in this order: vCenter Single Sign On, Inventory Service, and vCenter Server.

    • Create a vCenter Single Sign On database, unless you plan to install the bundled database. For further information, see Methods of Upgrading to vCenter Server 5.1 (2021188).
    • In upgrades to vCenter Server versions earlier than vCenter Server 5.1, both the local operating system users and Active Directory users that are registered with vCenter Server before the upgrade continue to work with the upgraded vCenter Server. This behavior changes in vCenter Server 5.1

      Note: In vCenter Server 5.1, if vCenter Single Sign On is running on a virtual machine or physical machine that is in the same domain as Active Directory, Single Sign On will automatically discover the existing Active Directory domain and join it automatically during the Single Sign On installation process. If Single Sign On is not running on a virtual machine or physical machine that is in the same domain as Active Directory, you must use the vSphere Web Client to log in to vCenter Server and add the Active Directory domain to Single Sign On. For further information, see Comparing behaviour of vCenter Single Sign On with earlier versions of vCenter Server (2032135).

    vCenter Single Sign On, Inventory Service and vCenter Server hardware requirements

    vCenter Single Sign On, Inventory Service and vCenter Server can be installed on the same host machine (as with vCenter Server Simple Install) or on different machines.
     
    Minimum Hardware Requirements for vCenter Single Sign On, Running on a Separate Host Machine from vCenter Server lists the hardware requirements for vCenter Single Sign On, assuming that Single Sign On runs on a different host machine from vCenter Server. If vCenter Server and vCenter Single Sign On are installed on the same host machine, the Single Sign On memory and disk storage requirements are in addition to the requirements for vCenter Server. See Minimum Hardware Requirements for vCenter Server.

    Minimum Hardware Requirements for vCenter Single Sign On, Running on a Separate Host Machine from vCenter Server

    vCenter Single Sign On Hardware Requirement
    Processor Intel or AMD x64 processor with two or more logical cores, each with a speed of 2GHz
    Memory 3GB.

    Memory requirements might be higher if the vCenter Single Sign On database runs on the same host machine. If vCenter Single Sign On runs on the same host machine as vCenter Server, see Minimum Hardware Requirements for vCenter Server.

    Disk Storage 2GB. Disk requirements might be higher if the vCenter Single Sign On database runs on the same host machine.
    Network Speed 1Gbps

    Minimum Hardware Requirements for vCenter Inventory Service, Running on a Separate Host Machine from vCenter Server

    Hardware Requirement
    Processor Intel or AMD x64 processor with two or more logical cores, each with a speed of 2GHz.
    Memory 3GB. If vCenter Inventory Service runs on the same host machine as vCenter Server, see Minimum Hardware Requirements for vCenter Server.
    Disk Storage At least 60GB for medium- to large-sized inventories (more than 100 hosts or 1000 virtual machines).

    If vCenter Inventory Service runs on the same host machine as vCenter Server, see Minimum Hardware Requirements for vCenter Server.

    Network Speed 1Gbps

    Minimum Hardware Requirements for vCenter Server

    Hardware Requirement
    CPU Two 64-bit CPUs or one 64-bit dual-core processor.
    Processor 2.0GHz or faster Intel 64 or AMD 64 processor. The Itanium (IA64) processor is not supported. Processor requirements might be higher if the database runs on the same machine.
    Memory The amount of memory needed depends on your vCenter Server configuration.

    • If vCenter Server is installed on a different host machine than vCenter Single Sign On and vCenter Inventory Service, 4GB of RAM are required.
    • If vCenter Server, vCenter Single Sign On and vCenter Inventory Service are installed on the same host machine (as with vCenter Simple Install), 10GB of RAM are required.
    Memory requirements might be higher if the vCenter Server database or vCenter Single Sign On database runs on the same machine as vCenter Server.

    vCenter Server includes several Java services: VMware VirtualCenter Management Webservices (tc Server), Inventory Service, and Profile-Driven Storage Service.

     
    When you install vCenter Server, you select the size of your vCenter Server inventory to allocate memory for these services. The inventory size determines the maximum JVM heap settings for the services. You can adjust this setting after installation if the number of hosts in your environment changes. See the recommendations in JVM Heap Settings for vCenter Server.
    Disk Storage The amount of disk storage needed depends on your vCenter Server configuration.

    • If vCenter Server is installed on a different host machine than vCenter Single Sign On and vCenter Inventory Service, 4GB of RAM are required.
    • If vCenter Server, vCenter Single Sign On and vCenter Inventory Service are installed on the same host machine (as with vCenter Simple Install), at least 40-60GB of free disk space are required after installation, depending on the size of your inventory. 100GB are recommended, to allow for future growth of your inventory.

    Disk storage requirements might be higher if the vCenter Server database or vCenter Single Sign On database runs on the same machine as vCenter Server.

    In vCenter Server 5.x, the default size for vCenter Server logs is 450MB larger than in vCenter Server 4.x. Make sure the disk space allotted to the log folder is sufficient for this increase.

    Microsoft SQL Server 2008 R2 Express disk Up to 2GB free disk space to decompress the installation archive. Approximately 1.5GB of these files are deleted after the installation is complete.
    Network Speed 1Gbps

    JVM Heap Settings for vCenter Server

    vCenter Server Inventory VMware VirtualCenter Management Webservices Inventory Service Profile-Driven Storage Service
    Small inventory (1-100 hosts or 1-1000 virtual machines) 1GB 3GB 512MB
    Medium inventory (100-400 hosts or 1000-4000 virtual machines) 2GB 6GB 1GB
    Large inventory (More than 400 hosts or 4000 virtual machines) 3GB 12GB 2GB

    vCenter Server operating system requirements

    vCenter Server 5.1 requires a 64-bit operating system and cannot be installed on a 32-bit operating system. When performing an install you must ensure that your operating system is 64-bit capable. For a list of supported operating systems, see the VMware Compatibility Guide.

    VMware recommends that vCenter Server be installed on a system that is dedicated to managing your virtual infrastructure environment. 3rd party and other applications on the same system may utilize the same shared system resources, impacting performance and support.

    Pre-upgrade software requirements

    vCenter Server requires Microsoft .NET 3.5 SP1 Framework. If it is not installed on your system, the vCenter Server installer installs it for you.

    Note: The Microsoft .NET 3.5 SP1 installation might require Internet connectivity to download and update files during the installation procedure.

    If you plan to use the Microsoft SQL Server 2008 R2 Express database that is bundled with vCenter Server, Microsoft Windows Installer version 4.5 (MSI 4.5) must be installed on your system. You can download MSI 4.5 from the Microsoft Web site. You can also install MSI 4.5 directly from the vCenter Server 5.1 CD/DVD-ROM.

    Network prerequisites

    Verify that DNS reverse lookup returns a fully qualified domain name when queried with the IP address of the vCenter Server. When you upgrade vCenter Server, the installation of the web server component that supports the vSphere Client fails if the installer cannot look up the fully qualified domain name of the vCenter Server from its IP address. Reverse lookup is implemented using PTR records. To create a PTR record, see the documentation for your vCenter Server host operating system.

    If you use DHCP instead of a manually assigned (static) IP address for vCenter Server, make sure that the vCenter Server computer name is updated in the domain name service (DNS). Test this is by pinging the computer name. For example, if the computer name is host-1.company.com, run this command in the Windows command prompt:

    ping host-1.company.com

    If you can ping the computer name, the name is updated in DNS.

    Ensure that the ESXi host management interface has a valid DNS resolution from the vCenter Server and all vSphere Clients. Ensure that the vCenter Server has a valid DNS resolution from all ESXi hosts and all vSphere Clients.

    For the vCenter Single Sign On installer to automatically discover Active Directory identity sources, verify that these conditions are met:

    • The Active Directory identity source must be able to authenticate the user who is logged in to perform the Single Sign On installation.

    • The DNS of the Single Sign On Server host machine must contain both lookup and reverse lookup entries for the domain controller of the Active Directory. For example, pinging mydomain.com should return the domain controller IP address for mydomain. Similarly, the ping -a command for that IP address should return the domain controller hostname. Avoid trying to correct name resolution issues by editing the hosts file. Instead, make sure that the DNS server is correctly set up.

    • The system clock of the Single Sign On Server host machine must be synchronized with the clock of the domain controller.

     

    Ensuring that your database is ready to be installed/upgraded

    Make sure your database requirements and patch levels are compliant. For more information, see VMware Product Interoperability Matrixes and vCenter Server Database Configuration Notes in the vSphere 5.1 Documentation Center for the most up to date list of database versions supported with vCenter Server. See also Supported Database Upgrades in the vSphere 5.1 Documentation Center.

    If you are performing an upgrade, configuration and per-requirements may have already have been done with a previous installation of vCenter Server. Contact your DBA if you are unsure if these procedures have been completed.

    vCenter Server databases require a UTF code set.

    The vCenter Server system must have a 64-bit DSN. This requirement applies to all supported databases. You also need to ensure that you have created a full backup of your database before proceeding with the vCenter Upgrade.

    Notes:

    • Microsoft SQL Server 2008 R2 Express is intended for use with small deployments of up to 5 hosts or 50 virtual machines.
    • IBM DB2 database is only supported for vCenter Server. There is no support for IBM DB2 with Update Manager or with any plug-in that requires a database.
    If your database is located on the same machine on which vCenter Server will be installed, and you have recently changed the name of this machine to comply with the name-length requirement, make sure the vCenter Server DSN is configured to communicate with the new name of the machine.

    Changing the vCenter Server computer name impacts database communication if the database server is on the same computer with vCenter Server. If you changed the machine name, you can verify that communication remains intact. The name change has no effect on communication with remote databases. You can skip this procedure if your database is remote.

    Note: The name-length limitation applies to the vCenter Server system. The data source name (DSN) and remote database systems can have names with more than 15 characters.

    Check with your database administrator or the database vendor to make sure all components of the database are working after you rename the server.


    When configuring vCenter Server to communicate with a database, make sure that:
    • The database server is running

    • The vCenter Server computer name is updated in the domain name service (DNS). To test the connection, ping the computer name. For example, if the computer name is host-1.company.com, run this command in a Windows command prompt:

      ping host-1.company.com

      If you can ping the computer name, the name is updated in DNS.

    Note: For further recommendations on preparing your vCenter Server Database, see Preparing for the Upgrade to vCenter Server in the vSphere Upgrade Guide.

    Bundled Microsoft SQL Server 2008 R2 SP1 Express Database Package

    The bundled Microsoft SQL Server 2008 R2 Express database package is installed and configured when you select the bundled database during vCenter Server installation or upgrade.

    To install the bundled Microsoft SQL Server 2008 R2 Express database, Microsoft Windows Installer version 4.5 (MSI 4.5) is required on your system. You can download MSI 4.5 from the Microsoft Web site. You can also install MSI 4.5 directly from the vCenter Server autorun.exe installer.

    Pre-upgrade considerations and recommendations

    Before upgrading, consider these points:

    • Prepare for the vCenter Server installation by recording the values that the vCenter Server system requires. For further information, see Required Information for Installing or Upgrading vCenter Single Sign On, Inventory Service, and vCenter Server in the vSphere Upgrade Guide.

    • If you do not intend to use evaluation mode, make sure that you have valid license keys for all purchased functionality. License keys from vSphere versions prior to version 5.0 are not supported in vCenter Server 5.x. If you do not have the license key, you can install in evaluation mode and use the vSphere Client or vSphere Web Client to enter the license key later.

    • Close all instances of the VMware Infrastructure Client, the vSphere Client, and the vSphere Web Client.

    • Before you install or upgrade any vSphere product, synchronize the clocks of all machines on the vSphere network. See Synchronizing Clocks on the vSphere Network in the vSphere Upgrade Guide.

    • In-place upgrade to vCenter Server 5.1 is not supported on Microsoft Windows XP.

    • Ensure that your vCenter Server 5.1 is capable of running on a 64-bit operating system.

    • Ensure that you have made a backup of your vCenter Server database.

    • If the vCenter Server upgrade fails, no automatic rollback occurs to the previous vCenter Server version.

    • The data migration tool is not supported for vCenter Server 5.1. You cannot directly migrate an existing vCenter Server to a new machine during an upgrade to version 5.1. You can migrate an existing vCenter Server to a new machine during an upgrade to version 5.0, and then perform an in-place upgrade from version 5.0 to version 5.1.

    •  Ensure that NetBios over TCP/IP is enabled in TCP/IP v4 settings on the Windows server.

    • Ensure that all domains that are to be added as Identity sources are added to the DNS suffix list of the NIC. 

    Additional Information

     

    May 06

    Methods of upgrading to vCenter Server 5.1 (2021188)

    Purpose

    This article provides high-level information about the methods of upgrading to vCenter Server 5.1. 
     

    Note:

    Resolution

    Before upgrading to vCenter Server 5.1, vSphere 5.1 requires you to install vCenter Single Sign On and install or upgrade the Inventory Service. You can install vCenter Single Sign On and upgrade the Inventory Service and vCenter Server all on a single host machine using the vCenter Server Simple Install option. This option is appropriate for small deployments.

    Alternatively, you can install vCenter Single Sign On, upgrade the Inventory Service, and upgrade vCenter Server separately to customize the location and configuration of the components. See the Installing components separately

     
    For more information vCenter Single Sign On, see:

    Prerequisites

    Before upgrading, you need to create a vCenter Single Sign On database, unless you plan to install the bundled database. For information about vCenter Single Sign On supported database versions, see the VMware Product Interoperability Matrix.

    If you are using an existing database for vCenter Single Sign On:

    • You have the option of specifying a database user (RSA_USER) and database administrator (RSA_DBA) to use for Single Sign On database installation and setup. See Required vCenter Single Sign On Database Users in the vSphere Upgrade Guide.
      • If you choose this option, create these users before you run the installer. See Required vCenter Single Sign On Database Users in the vSphere Upgrade Guide for a list of required permissions.
      • If you do not choose this option, the installer creates these users for you using the credentials of a database administrator you specify during the installation process. Verify that the database user you specify has the required permissions. See Permissions Required by vCenter Single Sign On for Database Administrators in the vSphere Upgrade Guide.
    • Ensure that the tablespaces are named RSA_DATA and RSA_INDEX. Any other table space names cause the vCenter Single Sign On installation to fail.
    • Ensure that table space is created for the database. Run the script:

      rsaIMSLite<DBName>SetupTablespaces.sql

      Note: The script is included in the vCenter Server installer download package (vCenter Server Installation directory\Single Sign On\DBScripts\SSOServer\Schema\your_existing_database ). You can run this script prior to the installation, or during the installation of Single Sign On, when you are prompted by the installer. You can leave the installer to run the script, and resume the installer after you run the script.

    • If you do not choose this option, the installer creates these users for you using the credentials of a database administrator you specify during the installation process. Verify that the database user you specify has the required permissions. See Permissions Required by vCenter Single Sign On for Database Administrators in the vSphere Upgrade Guide.

    Note: For information on vCenter Single Sign On, vCenter Inventory Service, and vCenter Server install prerequisites, hardware and software requirements, see Upgrading to vCenter Server 5.1 best practices (2021193)

    Installing components on one host using Simple Install

    To install vCenter Single Sign On and upgrade the Inventory Service and vCenter Server all on a single host machine using the vCenter Server Simple Install option:

    1. Install vCenter Single Sign On as Part of a vCenter Server Simple Install. Create the only node in a basic vCenter Single Sign On installation, or the first node in a high availability or multisite installation.
    2. Install or Upgrade Inventory Service as Part of vCenter Server Simple Install.

      Note: The Inventory Service stores vCenter Server application and inventory data, enabling you to search and access inventory objects across linked vCenter Servers.

      You can install vCenter Single Sign On, vCenter Inventory Service, and vCenter Server together on a single host machine using the vCenter Server Simple Install option. This option is appropriate for small deployments.

    3. Upgrade to vCenter Server 5.1 as Part of a Simple Install.

      Notes:

      • You can upgrade vCenter Server as part of a Simple Install after installing vCenter Single Sign On, and upgrading the Inventory Service. Alternatively, you can install vCenter Single Sign On, upgrade Inventory Service, and upgrade vCenter Server separately to customize the location and configuration of the components. See Install vCenter Single Sign On, Upgrade Inventory Service, and Upgrade vCenter Server Separately. See the below section for further details.
      • You can use Simple Install to upgrade vCenter Server if you have a version 4.x or 5.0.x vCenter Server installation that is supported for upgrade. See vCenter Server Upgrade Summary. In this case, the Simple Install option installs Single Sign-On, upgrades Inventory Service, and upgrades vCenter Server.
      • If you are upgrading a version 5.1 vCenter Server installation to version 5.1.x, you cannot use Simple Install. Upgrade the Single Sign-On, Inventory Service, and vCenter Server components separately. See Separately Install vCenter Single Sign On, Upgrade Inventory Service, and Upgrade vCenter Server.
      • If an earlier version of vCenter Server is on your machine, the vCenter Server installer detects and upgrades it. If the upgrade fails, no automatic rollback occurs to the previous vCenter Server version.

    For more information on the Single Sign On install and vCenter Server upgrade option, see the vSphere Upgrade Guide.

    Installing components separately

    To install vCenter Single Sign On, install/upgrade the Inventory Service, and upgrade vCenter Server separately to customize the location and configuration of the components:

    1. Install vCenter Single Sign On as a New Installation. Create the only node in a basic vCenter Single Sign On installation, or the first node in a high availability or multisite installation.

      Or

      Install an Additional Node for an Existing vCenter Single Sign On Installation. Create an additional vCenter Single Sign On node for an existing high availability or multisite vCenter Single Sign On installation.

    2. Install or upgrade vCenter Inventory Service in a Separate Installation.

      Note: The Inventory Service stores vCenter Server application and inventory data, enabling you to search and access inventory objects across linked vCenter Servers.

    3. Upgrade vCenter Server in a Separate Upgrade.

    Note: For more information about the Single Sign On install and vCenter Server upgrade option, see the vSphere Upgrade Guide.

    Updating vCenter Server and its Components

    VMware provides updates for vCenter Server 5.1 software.

    vCenter Server components  can include updates to vCenter Server, Inventory Service, vCenter Single Sign On, and Profile-Driven Storage Service.

    vCenter Server 5.1 updates s are available from www.vmware.com. The service pack update process updates files and registry settings required by vCenter Server and restarts Windows services that are stopped during the update.

    For more information, see the Updating vCenter Server with  Components section in the vSphere Upgrade Guide.

    See Also


    May 06

    Installing vCenter Server 5.1 best practices (2021202)

    Purpose

    This article provides information for installing VMware vCenter Server 5.1.

    Notes:

    • This is a not a comprehensive guide. For more information, see the vSphere 5.1 documentation
      The documentation contains definitive information. If there is a discrepancy between the documentation and this article, assume that the documentation is correct.
    • Because each environment is different, many installation decisions require knowledge and understanding beyond the scope of this article. For more detailed information about your installation, see the vSphere Installation and Setup Guide PDF and review the vSphere 5.1 Release Notes for known issues or special installation notes.

    Resolution

    Rating: 5/5

    vCenter Single Sign-On
    In vSphere versions prior to vSphere 5.1, vCenter Server was installed in a single operation that also installed the Inventory Service on the same host machine. The Inventory Service was installed automatically and silently.

    For small vSphere deployments, vCenter Server 5.1 provides a vCenter Server Simple Install option that installs vCenter Single Sign-On, Inventory Service, and vCenter Server on the same host or virtual machine.

    Alternatively, to customize the location and setup of each component, you can install the components separately by selecting the individual installation options, in this order: vCenter Single Sign-On, Inventory Service, and vCenter Server. Each component can be installed in a different host or virtual machine.

    For the first installation of vCenter Server with vCenter Single Sign-On, you must install Single Sign-On Server, Inventory Service, and vCenter Server in the vSphere environment. In subsequent installations of vCenter Server in your environment, you do not need to install Single Sign-On. One Single Sign-On server can serve your entire vSphere environment. After you install vCenter Single Sign-On once, you can connect all new vCenter Server instances to the same authentication server. However, you must install an Inventory Service instance for each vCenter Server instance. For more detailed information, see:

    Note: If the machine on which you are installing vCenter Server already has vCenter Server installed, you might want to upgrade instead of performing a fresh installation of vCenter Server. To keep your existing vCenter Server configuration, see the vSphere Upgrade Guide and Upgrading vCenter Server 5.1 best practices (2021193) for more information.

    vCenter Single Sign-On, Inventory Service, and vCenter Server hardware requirements
    You can install vCenter Single Sign-On, Inventory Service, and vCenter Server on the same host machine (as with vCenter Simple Install) or on different machines. Minimum Hardware Requirements for vCenter Single Sign-On, Running on a Separate Host Machine from vCenter Server and Minimum Hardware Requirements for vCenter Inventory Service, Running on a Separate Host Machine from vCenter Server list the hardware requirements for Single Sign-On and Inventory Service, running on separate host machines. If you install vCenter Single Sign-On, vCenter Inventory Service, and vCenter Server on the same host machine, the Single Sign-On and Inventory Service memory and disk storage requirements are in addition to the requirements for vCenter Server. For more information, see Minimum hardware requirements for vCenter Server.

    The vCenter Server system is a physical machine or virtual machine with access to a supported database. The vCenter Server system must meet specific requirements. The vCenter Server machine must meet the hardware requirements.

    Minimum hardware requirements for vCenter Single Sign-On, when running on a separate host machine from vCenter Server

    vCenter SSO hardware Requirement
    Processor Intel or AMD x64 processor with two or more logical cores, each with a speed of 2 GHz.
    Memory 3 GB. Memory requirements might be higher if the vCenter Single Sign-On database runs on the same host machine. If vCenter Single Sign-On runs on the same host machine as vCenter Server, see Minimum hardware requirements for vCenter Server.
    Disk storage 2 GB. Disk requirements may be higher if the vCenter Single Sign-On database runs on the same host machine.
    Network speed 1 Gbps

    Minimum hardware requirements for vCenter Inventory Service, when running on a separate host machine from vCenter Server

    vCenter Inventory Service hardware Requirement
    Processor Intel or AMD x64 processor with two or more logical cores, each with a speed of 2 GHz.
    Memory 3 GB. If vCenter Inventory Service runs on the same host machine as vCenter Server, see Minimum Hardware Requirements for vCenter Server.
    Disk storage At least 60 GB for medium- to large-sized inventories (more than 100 hosts or 1000 virtual machines).
    Network speed 1 Gbps

    Minimum hardware requirements for vCenter Server

    vCenter Server hardware Requirement
    CPU Two 64-bit CPUs or one 64-bit dual-core processor.
    Processor 2.0 GHz or faster Intel 64 or AMD 64 processor. The Itanium (IA64) processor is not supported.

    Processor requirements may be higher if the database runs on the same machine.

    Memory The amount of memory needed depends on your vCenter Server configuration.

    • If vCenter Server is installed on a different host machine than vCenter Single Sign-On and vCenter Inventory Service, 4 GB of RAM are required.
    • If vCenter Server, vCenter Single Sign-On, and vCenter Inventory Service are installed on the same host machine (as with vCenter Simple Install), 10 GB of RAM are required.

    Memory requirements may be higher if the vCenter Server database or vCenter Single Sign-On database runs on the same machine as vCenter Server.

    vCenter Server includes several Java services: VMware VirtualCenter Management Webservices (tc Server), Inventory Service, and Profile-Driven Storage Service. When you install vCenter Server, you select the size of your vCenter Server inventory to allocate memory for these services. The inventory size determines the maximum JVM heap settings for the services. You can adjust this setting after installation if the number of hosts in your environment changes. See the recommendations in JVM heap settings for vCenter Server.

    Disk storage The amount of disk storage needed depends on your vCenter Server configuration.

    • If vCenter Server is installed on a different host machine than vCenter Single Sign-On and vCenter Inventory Service, 4 GB are required.
    • If vCenter Server, vCenter Single Sign-On, and vCenter Inventory Service are installed on the same host machine (as with vCenter Simple Install), at least 40-60 GB of free disk space are required after installation, depending on the size of your inventory. 100 GB are recommended to allow for future growth of your inventory.

    Disk storage requirements are higher if the vCenter Server database or vCenter Single Sign-On database runs on the same machine as vCenter Server, depending on the size of those databases.

    In vCenter Server 5.x, the default size for vCenter Server logs is 450 MB larger than in vCenter Server 4.x. Make sure the disk space allotted to the log folder is sufficient for this increase.

    Microsoft SQL Server 2008 R2 Express disk storage Up to 2 GB free disk space to decompress the installation archive. Approximately 1.5 GB of these files are deleted after the installation is complete.
    Network speed 1 Gbps

    JVM heap settings for vCenter Server

    vCenter Server Inventory VMware VirtualCenter Management Webservices (tc Server) Inventory Service Profile-Driven Storage Service
    Small inventory (1-100 hosts or 1-1000 virtual machines) 1 GB 3 GB 512 MB
    Medium inventory (100-400 hosts or 1000-4000 virtual machines) 2 GB 6 GB 1 GB
    Large inventory (More than 400 hosts or 4000 virtual machines) 3 GB 12 GB 2 GB

    Note: Installing vCenter Server on a network drive or USB flash drive is not supported.

    For the hardware requirements of your database, see your database documentation. The database requirements are in addition to the vCenter Server requirements if the database and vCenter Server run on the same machine.

    vCenter Server and vSphere Client system recommendations for performance based on deployment size

    The number of hosts and powered-on virtual machines in your environment affects performance. Use these system requirements as minimum guidelines for reasonable performance. For increased performance, you can configure systems in your environment with values greater than those listed here.

    Processing requirements are listed in terms of hardware CPU cores. Only physical cores are counted. In hyper-threaded systems, logical CPUs do not count as separate cores.

    Important: The recommended disk sizes assume default log levels. If you configure more detailed log levels, more disk space is required.

    This table outlines the recommended hardware configurations for a medium deployment of up to 50 hosts and 500 powered-on virtual machines:

    Product Cores Memory Disk
    vCenter Server 2 4 GB 5 GB
    vSphere Client 1 1 GB 1.5 GB

    This table outlines the recommended hardware configurations for a large deployment of up to 300 hosts and 3,000 powered-on virtual machines:

    Product Cores Memory Disk
    vCenter Server 4 8 GB 10 GB
    vSphere Client 1 1 GB 1.5 GB

    This table outlines the recommended hardware configurations for an extra-large deployment of up to 1000 hosts and 10,000 powered-on virtual machines:

    Product Cores Memory Disk
    vCenter Server 8 16 GB 10 GB
    vSphere Client 2 1 GB 1.5 GB

    Minimum hardware requirements and recommendations for the vSphere Client

    Hardware Requirements and recommendations
    CPU 1 CPU
    Processor 500 MHz or faster Intel or AMD processor (1 GHz recommended)
    Memory 500 MB (1 GB recommended)
    Disk storage 1.5 GB free disk space for a complete installation, which includes the following components:

    • Microsoft .NET 2.0 SP2
    • Microsoft .NET 3.0 SP2
    • Microsoft .NET 3.5 SP1
    • Microsoft Visual J#

      Remove any previously installed versions of Microsoft Visual J# on the system where you are installing the vSphere Client.

    • vSphere Client

    If you do not have any of these components already installed, you must have 400 MB free on the drive that has the %temp% directory.

    If you have all of the components already installed, 300 MB of free space is required on the drive that has the %temp% directory, and 450 MB is required for vSphere Client.

    Networking Gigabit connection recommended

    vSphere Web Client hardware requirements

    Hardware Requirement
    Memory At least 2 GB: 1 GB for the Java heap, and 1 GB for:

    • The resident code
    • The stack for Java threads
    • Global/bss segments for the Java process
    CPU 2.00 GHz processor with 4 cores
    Disk storage At least 2 GB free disk space
    Networking Gigabit connection recommended

    These browsers are supported for version 5.1 of the vSphere Web Client:

    • Microsoft Internet Explorer 7, 8, and 9
    • Mozilla Firefox 3.6 and later
    • Google Chrome 14 and later

    The vSphere Web Client requires the Adobe Flash Player version 10.1.0 or later to be installed with the appropriate plug-in for your browser.


    For more information, see Minimum requirements for installing the vSphere and vSphere Web 5.x Client (2005083).

    vCenter Server software requirements

    Make sure that your operating system supports vCenter Server. vCenter Server requires a 64-bit operating system, and a 64-bit system DSN is required for vCenter Server to connect to its database. For a list of supported operating systems, see the VMware Compatibility Guide.

    VMware recommends that vCenter Server be installed on a system that is dedicated to managing your virtual infrastructure environment. Third-party and other applications on the same system may utilize the same shared system resources, impacting performance and support.

    Note: The VMware vCenter Server Appliance can be deployed only on hosts that are running ESXi/ESX 4.x or later.

    Pre-installation software requirements

    vCenter Server requires the Microsoft .NET 3.5 SP1 Framework. If it is not installed on your system, the vCenter Server installer installs it. The .NET 3.5 SP1 installation might require Internet connectivity to download more files.

    Note: If your vCenter Server host machine uses a non-English operating system, install both the Microsoft .NET Framework 3.5 SP1 and Microsoft .NET Framework 3.5 Language Pack through Windows Update. Windows Update automatically selects the correct localized version for your operating system. The .NET Framework installed through the vCenter Server installer includes only the English version.

    If you plan to use the Microsoft SQL Server 2008 R2 Express database that is bundled with vCenter Server, Microsoft Windows Installer version 4.5 (MSI 4.5) is required on your system. You can download MSI 4.5 from the Microsoft Web site. You can also install MSI 4.5 directly from the vCenter Server autorun.exe installer.

    Setting up the vCenter Server and vCenter Single Sign-On database

    Each vCenter Server instance must have its own database. vCenter Server instances cannot share the same database schema. Multiple vCenter Server databases can reside on the same database server, or they can be separated across multiple database servers. For Oracle databases, which have the concept of schema objects, you can run multiple vCenter Server instances in a single database server if you have a different schema owner for each vCenter Server instance. You can also use a dedicated Oracle database server for each vCenter Server instance.

    You do not need to install a new database server for the vCenter Server installation to work. During vCenter Server installation, you can point the vCenter Server system to any existing supported database. vCenter Server supports IBM DB2, Oracle, and Microsoft SQL Server databases. Update Manager supports Oracle and Microsoft SQL Server databases. For information about supported database server versions, see the VMware Product Interoperability Matrix.

    After you choose a supported database type, make sure you understand any special configuration requirements. See vCenter Server Database Configuration Notes in the vSphere Installation and Setup Guide.

    • Ensure that your vCenter Server database meets the database requirements. For more information, see vCenter Server Database Configuration Notes and Preparing vCenter Server Databases in the vSphere Installation and Setup Guide.

    • You must create a vCenter Single Sign-On database unless you plan to install the bundled database. For information about vCenter Single Sign-On supported database versions, see the VMware Product Interoperability Matrix.

    • If you are using an existing database for vCenter Single Sign-On:

      • You have the option of specifying a database user (RSA_USER) and database administrator (RSA_DBA) to use for Single Sign-On database installation and setup. For more information, see Required vCenter Single Sign-On Database Users in the vSphere Installation and Setup Guide.

        • If you choose this option, create these users before you run the installer. For a list of required permissions, see Required vCenter Single Sign-On Database Users in the vSphere Installation and Setup Guide.

        • If you do not choose this option, the installer creates these users for you using the credentials of a database administrator you specify during the installation process. Verify that the database user you specify has the required permissions. For more information, see Permissions Required by vCenter Single Sign-On for Database Administrators in the vSphere Installation and Setup Guide.

      • Ensure that the table spaces are named RSA_DATA and RSA_INDEX. Any other table space names cause the vCenter Single Sign-On installation to fail. These table spaces are case sensitive and should be uppercase. The error below may be reported if lowercase is used:

        Error 29119, Required Tablespaces missing during the installation of vCenter Single Sign On.

      • Ensure that table space is created for the database, run the script:

        rsaIMSLite<DBName>SetupTablespaces.sql

        The script is included in the vCenter Server installer download package (vCenter_Server_Installation_directory\Single Sign On\DBScripts\SSOServer\Schema\your_existing_database). You can run this script prior to the installation, or during the installation, when you are prompted by the installer. You can leave the installer to run the script, and resume the installer after you run the script.

      • If you do not choose this option, the installer creates these users for you using the credentials of a database administrator you specify during the installation process. Verify that the database user you specify has the required permissions. For more information, see Permissions Required by vCenter Single Sign-On for Database Administrators in the vSphere Installation and Setup Guide.

    Notes:

    • Microsoft SQL Server 2008 R2 Express is intended for use with small deployments of up to 5 hosts and/or 50 virtual machines.
    • The IBM DB2 database is only supported for vCenter Server. There is no support for Update Manager or any plug-in that requires a database.
    • A 64-bit DSN must be created that points to a database that is set up with minimum requirements.
    • vCenter Server databases require a UTF code set.
    • If you have a vCenter Server database that you want to preserve, do not perform a fresh installation of vCenter Server. For more information, see the vSphere Upgrade Guide.


    Synchronizing clocks on the vSphere network

    Before you install vCenter Single Sign-On, install the vSphere Web Client, or deploy the vCenter Server appliance, make sure all machines on the vSphere network have their clocks synchronized.

    If the clocks on vCenter Server network machines are not synchronized, SSL certificates, which are time-sensitive, might not be recognized as valid in communications between network machines. Unsynchronized clocks can result in authentication problems, which can cause the vSphere Web Client installation to fail or prevent the vCenter Server Appliance vpxd service from starting.

    Configure vCenter Server to communicate with the local database

    The machine on which you install or upgrade to vCenter Server must have a computer name that is 15 characters or fewer. If your database is located on the same machine on which vCenter Server will be installed, and you have recently changed the name of this machine to comply with the name-length requirement, make sure the vCenter Server DSN is configured to communicate with the new name of the machine.

    Changing the vCenter Server computer name impacts database communication if the database server is on the same computer with vCenter Server. If you changed the machine name, you can verify that communication remains intact. The name change has no effect on communication with remote databases. You can skip this procedure if your database is remote.

    Note: The name-length limitation applies to the vCenter Server system. The data source name (DSN) and remote database systems can have names with more than 15 characters.

    Check with your database administrator or the database vendor to make sure all components of the database are working after you rename the server.

    Prerequisites:

    • Ensure the database server is running.
    • Ensure that the vCenter Server computer name is updated in the domain name service (DNS).

    To test this connection, ping the computer name. For example, if the computer name is host-1.company.com, run this command in the Windows command prompt:

    ping host-1.company.com

    If you can ping the computer name, the name is updated in DNS.

    Bundled Microsoft SQL Server 2008 R2 Express database package

    The bundled Microsoft SQL Server 2008 R2 Express database package is installed and configured when you select the bundled database during vCenter Server installation or upgrade.

    To install the bundled Microsoft SQL Server 2008 R2 Express database, Microsoft Windows Installer version 4.5 (MSI 4.5) is required on your system. You can download MSI 4.5 from the Microsoft Web site. You can also install MSI 4.5 directly from the vCenter Server autorun.exe installer.

    For more detailed information on configuring a DB2, Microsoft SQL Server, or Oracle databases to work with vCenter Server, see Preparing vCenter Server Databases in the vSphere Installation and Setup Guide.

    vCenter Server prerequisites

    Before installing vCenter Server, review Prerequisites for Installing vCenter Single Sign-On, Inventory Service, and vCenter Server in the vSphere Installation and Setup Guide.

    • vCenter Server 5.1 requires vCenter Single Sign-On and Inventory Service. You must install these components in this order:

      1. vCenter Single Sign-On
      2. Inventory Service
      3. vCenter Server

      For more information on how vCenter Single Sign-On affects vCenter Server installation and upgrades, see Comparing the behavior of vCenter Single Sign On with earlier versions of vCenter Server (2032135).

    • Review the release notes for known issues or special installation notes.

    • Consider whether the vCenter Server instance will be standalone or in a Linked Mode group. For more information, see Creating vCenter Server Linked Mode Groups in the vSphere Installation and Setup Guide.

    • Gather the information that the vCenter Server installation wizard requires. For more information, see Required Information for Installing or Upgrading vCenter Single Sign-On, Inventory Service, and vCenter Server in the vSphere Installation and Setup Guide.

    • Verify that you have the installation DVD or download the vCenter Server installer. For more information, see Download the vCenter Server Installer in the vSphere Installation and Setup Guide.


    System requirements

    • Verify that your system meets the requirements listed above in Hardware requirements for vCenter Server, vCenter Single Sign-On, vSphere Client, and vSphere Web Client and vCenter Server software requirements, and that the required ports are open. For more information, see Required ports for vCenter Server 5.1 (2031843).

      Note: In order for VM console connections to be successfully established from the vSphere Client to VMs, you must have the ports TCP/902 and TCP/903 open inbound and outbound between the system where the vSphere Client is running and the ESXi/ESX host where the VM is hosted. This includes ensuring that traffic on these ports can communicate across any NAT/Firewall devices that may be present in your infrastructure. 

    • Before you install or upgrade any vSphere product, synchronize the clocks of all machines on the vSphere network. For more information, see Synchronizing clocks on the vSphere network.

    • Verify that the fully qualified domain name (FQDN) of the system where you will install vCenter Server is resolvable. To check that the FQDN is resolvable, run nslookup your_vCenter_Server_FQDN at the command prompt. If the FQDN is resolvable, the nslookup command returns the IP and name of the domain controller machine.

    • Verify that DNS reverse lookup returns a fully qualified domain name when queried with the IP address of the vCenter Server. When you install vCenter Server, the installation of the web server component that supports the vSphere Client fails if the installer cannot look up the fully qualified domain name of the vCenter Server from its IP address. Reverse lookup is implemented using PTR records. To create a PTR record, see the documentation for your vCenter Server host operating system.

    • Verify that the host name of the machine that you are installing vCenter Server on complies with RFC 952 guidelines.

    • The installation path of vCenter Server must be compatible with the installation requirements for Microsoft Active Directory Application Mode (ADAM/AD LDS). The installation path cannot contain any of these characters: non-ASCII characters, commas (,), periods (.), exclamation points (!), pound signs (#), at signs (@), or percentage signs (%).

    • Verify that no Network Address Translation (NAT) exists between the vCenter Server system and the hosts it will manage.

    • If the system that you use for your vCenter Server installation belongs to a workgroup rather than a domain, not all functionality is available to vCenter Server. If assigned to a workgroup, the vCenter Server system is not able to discover all domains and systems available on the network when using some features. To determine whether the system belongs to a workgroup or a domain, right-click My Computer and click Properties, then click the Computer Name tab. The Computer Name tab displays either a Workgroup label or a Domain label.

    • During the installation, verify that the connection between the machine and the domain controller is working.

    • Verify that the computer name is no more than 15 characters.

    • The NETWORK SERVICE account is required on the folder in which vCenter Server is installed and on the HKLM registry.

    • Before the vCenter Server installation, in the Administrative Tools control panel of the vCenter Single Sign-On instance that you will register vCenter Server to, verify that the vCenter Single Sign-On and RSA SSPI services are started.

    • You must log in as a member of the Administrators group on the host machine, with a user name that does not contain any non-ASCII characters.

    • Verify that the DNS name of the machine matches the actual computer name.

    • Make sure the system on which you are installing vCenter Server is not an Active Directory domain controller. Installing vCenter Server on a domain controller is not supported.

    • On each system that is running vCenter Server, make sure that the domain user account has these permissions:

      • Member of the Administrators group
      • Act as part of the operating system
      • Log on as a service


    • Consider whether the vCenter Server instance will be standalone or in a Linked Mode group. For more information, see Creating vCenter Server Linked Mode Groups in the vSphere Installation and Setup Guide.

    • Install vCenter Server, like any other network server, on a machine with a fixed IP address and well-known DNS name, so that clients can reliably access the service. Assign a static IP address and host name to the Windows server that will host the vCenter Server system. This IP address must have a valid (internal) domain name system (DNS) registration. Ensure that the ESXi host management interface has a valid DNS resolution from the vCenter Server and all vSphere Clients. Ensure that the vCenter Server has a valid DNS resolution from all ESXi hosts and all vSphere Clients. If you use DHCP instead of a static IP address for vCenter Server, make sure that the vCenter Server computer name is updated in the domain name service (DNS). Ping the computer name to test this connection. For example, if the computer name is host-1.company.com, run this command in the Windows command prompt:

      ping host-1.company.com

      If you can ping the computer name, the name is updated in DNS.


    Running vCenter Server using a user account

    You can use the Microsoft Windows built-in system account or a user account to run vCenter Server. With a user account, you can enable Windows authentication for SQL Server, which provides added security.

    The user account must be an administrator on the local machine. In the installation wizard, specify the account name as DomainName\Username. You must configure the SQL Server database to allow the domain account access to SQL Server.

    The Microsoft Windows built-in system account has more permissions and rights on the server than the vCenter Server system needs, which can contribute to security problems.

    For SQL Server DSNs configured with Windows authentication, use the same user account for the VMware VirtualCenter Management Webservices service and the DSN user.

    If you do not plan to use Microsoft Windows authentication for SQL Server, or you are using an Oracle or DB2 database, you may still want to set up a local user account for the vCenter Server system. The only requirement is that the user account is an administrator on the local machine.

    Note: If you install an instance of vCenter Server as a local system account on a local SQL Server database with Integrated Windows NT Authentication, and you add an Integrated Windows NT Authentication user to the local database server with the same default database as vCenter Server, vCenter Server might not start. For more information, see the vCenter Server Fails to Start When Installed as a Local System Account on a Local SQL Server Database with Integrated Windows NT Authentication section of the vSphere Installation and Setup Guide.

    Installing vCenter Server on IPv6 machines

    If you install vCenter Server on a system that is configured to use IPv6, vCenter Server uses IPv6. When you connect to that vCenter Server system or install more modules, you must specify the server address in IPv6 format, unless you use the fully qualified domain name.

    As specified in the Remote Procedure Call (RPC) standards for IPv6 addresses, you must enclose the IPv6 address in square brackets. For example: [IPv6-address].

     


    Mar 09

    Configuring certificates signed by a Certificate Authority (CA) for vCenter Server Appliance 5.1 (2036744)

    Purpose

    This article guides you through the configuration of certificates signed by a Certificate Authority (CA) for the vCenter Server Appliance 5.1. This process addresses common issues during certificate implementation, including configuration steps and pointers to avoid misconfiguration.
    Note: This article is specific to vSphere 5.1. If you are using vSphere 5.5, see Configuring Certificate Authority (CA) signed certificates for vCenter Server Appliance 5.5 (2057223).

    Resolution

    Managing CA signed certificates for the vCenter Server appliance is a complex task. In many organizations it is required to maintain proper security for regulatory requirements.
    These workflows are required for successful implementation:

    These steps must be followed to ensure successful implementation of a custom certificate for vCenter Server Appliance.
    Before attempting these steps, ensure that:

    These are the requirements for the certificates that the vCenter Server Appliance uses:

    • Key Length – The key length currently must be a maximum of 2048 bytes from key file (PEM encoded).
    • Key File Format – Only PKCS1 is supported by all components. Make sure the base64 encoded key is in PKCS1 format. You may get RSA private keys in PKCS8 format when using some OpenSSL commands, the signal of PKCS8 key is:----- BEGIN PRIVATE KEYFor PKCS1, it is:----- BEGIN RSA PRIVATE KEYOpen the key file to correct it. If it is in PKCS8 format, run this command to convert it to PKCS1:openssl rsa -in pk8.key -out pk1.key
    • Cert File Format – Only some components support the PEM format of cert file. Make sure your cert file can be loaded by all components. Remove everything before the -----BEGIN CERTIFICATE to ensure that this is the first line of the file.
    • Certificate content – The commonName field in the Subject must be the hostname. subjectAltname must include the hostname and IP address of the host.
    • Elliptic Curve Keys – These are not currently supported.

    Generating the certificate requests

    For each component of the vCenter Server Appliance, you must have a custom certificate that has an appropriate organizational unit name encoded within the certificate. This means that seven different certificates are required for each vCenter Server appliance:
    • vCenter Server / Single Sign On (SSO)
    • vSphere Inventory Service
    • vSphere Web Client
    • Open LDAP
    • VMware Appliance Management Interface (VAMI)
    • vSphere Log Browser
    • vSphere Auto Deploy

    To simplify the process, this article provides the steps to create different openssl.cfg files for each component.
    This article uses /ssl/service to store all of the files before the certificates are installed.

    To generate the appropriate configuration files:

    1. Open a text editor on the system where OpenSSL is installed.
    2. Paste this text into the file, replacing the information in red where appropriate:[ req ]default_md = sha512
      default_bits = 2048
      default_keyfile = rui.key
      distinguished_name = req_distinguished_name
      encrypt_key = no
      prompt = no
      string_mask = nombstr
      req_extensions = v3_req
      input_password = testpassword
      output_password = testpassword[v3_req ]basicConstraints = CA:false
      keyUsage = digitalSignature, keyEncipherment, dataEncipherment
      extendedKeyUsage = serverAuth, clientAuth
      subjectAltName = DNS:server, IP:ServerIPAddress,DNS:server.domain.com[ req_distinguished_name ]countryName = country
      stateOrProvinceName = state
      localityName = city
      0.organizationName = Organization Name
      organizationalUnitName = Vmware vCenter Service Certificate
      commonName = server.domain.com
    3. Save the file as openssl_vpxd.cfg, but do not close it.
    4. To create the inventory service configuration file, modify the organizationalUnitName to Vmware Inventory Service Certificate and save the file as openssl_inventoryservice.cfg.
    5. To create the vSphere Web Client configuration file, modify the organizationalUnitName to Vmware vCenter Web Client Service Certificate and save the file as openssl_webclient.cfg.
    6. To create the Open LDAP configuration file, modify the organizationalUnitName to Vmware LDAP Service Certificate and save the file as openssl_slapd.cfg.
    7. To create the VAMI configuration file, modify the organizationalUnitName to Vmware vCenter VAMI Certificate and save the file as openssl_vami.cfg.
    8. To create the VMware Log Browser configuration file, modify the organizationalUnitName to Vmware Logbrowser Service Certificate and save the file as openssl_logbrowser.cfg.
    9. To create the vSphere AutoDeploy configuration file, modify the organizationalUnitName to Vmware vCenter autodeploy Service Certificate and save the file as openssl_autodeploy.cfg.

    When complete, there are seven different configuration files each with a different organizationalUnitName. Next, generate the certificate request and corresponding key for each of the certificates.

    To generate a certificate request:

    1. Launch a command prompt and navigate into the OpenSSL directory as previously configured in the Configuring OpenSSL article.
      By default, the OpenSSL directory is located at:C:\OpenSSL-Win32\bin
    2. Run this command, replacing service with the appropriate file:openssl req -new -nodes -out rui_service.csr -keyout rui_service.key -config openssl_service.cfgFor example, to generate the vCenter SSO certificate, run:openssl req -new -nodes -out rui_vpxd.csr -keyout rui_vpxd.key -config openssl_vpxd.cfgNote: There are no prompts because all information was provided in the openssl.cfg file from above.
    3. Repeat this step for each of the seven different openssl.cfg files. By the end of this section, you have seven different .csr files and seven different .key files.
    When the certificate requests are created, proceed to Getting the certificate.

    Getting the certificate

    After the certificate requests are generated, they must be given to the certificate authority for generation of the actual certificate. The authority responds with a signed certificate and, if appropriate, a copy of their root certificate. For the certificate chain to be trusted, the root certificate must be installed on the server which is requesting the certificate.Follow the appropriate section for the certificate authority in question.If using commercial non-Microsoft CAs:
    1. Take each certificate signing request (rui.cs, as generated above) and send them to the commercial certificate signing authority.
    2. The CA sends back the generated certificates and the certificate chain file (normally a .PEM file) to ensure that the certificates are trusted.
    3. Proceed to the Installation and configuration of the certificates section of this article to complete the configuration of the custom certificates.

    If using a Microsoft CA:

    1. Log into the Microsoft CA certificate authority web interface. By default, it is:http://servername/CertSrv/
    2. Click the Request a certificate link.
    3. Click advanced certificate request.
    4. Click the Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file link.
    5. Open the certificate request in a plain text editor and paste this text into the Saved Request box:-----BEGIN CERTIFICATE REQUEST----- to -----END CERTIFICATE REQUEST-----
    6. Select the Certificate Template as Web Server.Note: VMware recommends that you create a copy of the Web Server Certificate and add the Subject Alternative Name field to it. This allows you to specify more than a single name to be valid on the certificate, such as vcenter.domain.com and vcenter. Users can connect to more than one name and communication will still be valid.
    7. Click Submit to submit the request.
    8. Click Base 64 encoded on the Certificate issued screen.
    9. Click the Download Certificate link.
    10. Save the certificate on the desktop of the server as rui_service.crt, where service is the service you are creating a certificate for.Note: By default, Microsoft CA certificates are generated with the .cer format. Either use Save As or change it to .crt before continuing with this procedure.
    11. Repeat steps 2 to 10 to create each of the seven certificates from the seven certificate request files generated in the previous section of this document.
    12. Navigate back to the home page of the certificate server and click Download a CA certificate, certificate chain or CRL.
    13. Click the Base 64 option.
    14. Click the Download CA Certificate chain link.
    15. Save the certificate chain as cachain.p7b.

    When complete, you have seven certificates (rui_service.crt) and the cachain.pem file generated. Proceed to Installation and configuration of the certificates to complete the configuration of the custom certificates.

    Installation and configuration of the certificates

    After the certificates have been created, you must validate that the certificates are in the proper format. Edit the certificate with a tool such as Notepad or vi and validate that the file begins with -----BEGIN CERTIFICATE-----. Remove all text before the -----BEGIN CERTIFICATE----- in the rui.crt files.

    To complete the installation and configuration of the certificates in the vCenter Server Appliance:

    Note: Before proceeding, ensure to back up the existing rui.crt, rui.key, and rui.pxf files.

    1. Stop the VMware VirtualCenter Server service and the SSO service using these commands:service vmware-sso stop
      service vmware-vpxd stop
    2. Create a directory using the mkdir command to store the files. This article uses directories named /ssl/service on the vCenter Server Appliance for the file operations. Be sure to create the appropriate directories as you proceed through the article.
    3. Copy rui_vpxd.crt, rui_vpxd.key, and cachain.p7b to the /ssl/vpxd directory on the vCenter Server Appliance.
    4. Rename rui_vpxd.crt to rui.crt by running the command:mv rui_vpxd.crt rui.crt
    5. Rename rui_vpxd.key to rui.key by running the command:mv rui_vpxd.key rui.key
    6. Run this command to convert the cachain.p7b file to cachain.pem:openssl pkcs7 -print_certs -in cachain.p7b -out cachain.pem
    7. Create the rui-ca-cert.pem file by running the command:cp cachain.pem rui-ca-cert.pem
    8. Create the .pfx file by running the command:openssl pkcs12 –export –out rui.pfx –in rui.crt -inkey rui.key –name rui –passout pass:testpassword
    9. Create the root cert chain required for VPXD/SSO by running the command:cat rui.crt rui-ca-cert.pem > chain.pem
    10. Add the CA chain to the default location by running the command:cp chain.pem /etc/ssl/certs/rootca.pem
    11. Create a hash pointer to this file by running the command:ln -s /etc/ssl/certs/rootca.pem /etc/ssl/certs/`openssl x509 -hash -noout -in /etc/ssl/certs/rootca.pem`.0
    12. Change the certs by running the command:/usr/sbin/vpxd_servicecfg certificate change chain.pem rui.keyWait until you receive this response:VC_CFG_RESULT = 0The process of replacing vCenter Server and vCenter SSO certificates is complete. This process replaces these files:/etc/vmware-vpx/ssl/rui.crt
      /etc/vmware-vpx/ssl/rui.key
      /etc/vmware-vpx/ssl/rui.pfx
      /etc/vmware-vpx/ssl/sms.truststore
      /etc/vmware-sso/keys/sso.crt
      /etc/vmware-sso/keys/sso.key
      /opt/vmware/etc/lighttpd/server.pem
    13. Copy the rui.ca-cert.pem file to the /etc/vmware-vpx/ssl directory by running the command:cp rui-ca-cert.pem /etc/vmware-vpx/ssl
    14. Change the permissions on the file by running the command:chmod 400 /etc/vmware-vpx/ssl/rui-ca-cert.pem
    15. Restart the vCenter Server Appliance.
    16. Unregister the Inventory Service from SSO by running the commands:cd /etc/vmware-sso/register-hooks.d
      ./02-inventoryservice --mode uninstall --ls-server https:// server.domain.com:7444/lookupservice/sdk
    17. Copy rui_inventoryservice.crt, rui_inventoryservice.key, and a copy of the cachain.pem file as created in step 4 of this section to the /ssl/inventoryservice directory on the vCenter Server Appliance.
    18. Rename rui_inventoryservice.crt to rui.crt by running the command:mv rui_inventoryservice.crt rui.crt
    19. Rename rui_inventoryservice.key to rui.key by running the command:mv rui_inventoryservice.key rui.key
    20. Create the rui-ca-cert.pem file by running the command:cp cachain.pem rui-ca-cert.pem
    21. Create the .pfx file by running the command:openssl pkcs12 –export –out rui.pfx –in rui.crt -inkey rui.key –name rui –passout pass:testpassword
    22. Copy rui.key, rui.crt, rui.pfx, and rui-ca-cert.pem to the /usr/lib/vmware-vpx/inventoryservice/ssl directory with the cp command.
    23. Change the permissions on these files by running these commands:chmod 400 rui-ca-cert.pem rui.key rui.pfx
      chmod 644 rui.crt
    24. Run these commands to register the Inventory Service back to SSO:cd /etc/vmware-sso/register-hooks.d
      ./02-inventoryservice --mode install --ls-server https:// server.domain.com:7444/lookupservice/sdk --user root --password password_of_root user
    25. To re-register the Inventory Service to vCenter Server the next time the service starts, run the command:rm /var/vmware/vpxd/inventoryservice_registered
    26. Run these commands to restart and register the service:service vmware-inventoryservice stop
      service vmware-vpxd stop
      service vmware-inventoryservice start
      service vmware-vpxd start
      When complete, these files have been replaced:/usr/lib/vmware-vpx/inventoryservice/ssl/rui-ca-cert.pem
      /usr/lib/vmware-vpx/inventoryservice/ssl/rui.crt
      /usr/lib/vmware-vpx/inventoryservice/ssl/rui.key
      /usr/lib/vmware-vpx/inventoryservice/ssl/rui.pfx
    27. Unregister the vSphere Web Client from SSO by running the commands:cd /etc/vmware-sso/register-hooks.d
      ./10-vmware-vsphere-client --mode uninstall --ls-server https:// server.domain.com:7444/lookupservice/sdk
    28. Copy rui_webclient.crt, rui_webclient.key, and a copy of the cachain.pem file as created in step 4 of this section to the /ssl/vsphere-client directory on the vCenter Server Appliance.
    29. Rename rui_webclient.crt to vsphere-client.crt by running the command:mv rui_webclient.crt vsphere-client.crt
    30. Rename rui_webclient.key to vsphere-client.key by running the command:mv rui_webclient.key vsphere-client.key
    31. Create the vsphere-client-ca-cert.pem file by running the command:cp cachain.pem vsphere-client-ca-cert.pem
    32. Create the .pfx file by running the command:openssl pkcs12 –export –out vsphere-client.pfx –in vsphere-client.crt -inkey vsphere-client.key –name rui –passout pass:testpassword
    33. Copy vsphere-client.key, vsphere-client.crt, vsphere-client.pfx, and vsphere-client-ca-cert.pem to the /usr/lib/vmware-vsphere-client/server/SerenityDB/keys directory with the cp command.
    34. Change the permissions on the files by running these commands:chmod 400 vsphere-client-ca-cert.pem vsphere-client.key vsphere-client.pfx
      chmod 644 vsphere-client.crt
    35. Run these commands to re-register the web client to SSO:cd /etc/vmware-sso/register-hooks.d
      ./10-vmware-vsphere-client --mode install --ls-server https:// server.domain.com:7444/lookupservice/sdk --user root --password password_of_root user
    36. Run these commands to restart the service and ensure that it is registered:service vsphere-client stop
      service vsphere-client start
      When complete, these files have been replaced:/usr/lib/vmware-vsphere-client/server/SerenityDB/keys/vsphere-client-ca-cert.pem
      /usr/lib/vmware-vsphere-client/server/SerenityDB/keys/vsphere-client.crt
      /usr/lib/vmware-vsphere-client/server/SerenityDB/keys/vsphere-client.key
      /usr/lib/vmware-vsphere-client/server/SerenityDB/keys/vsphere-client.pfx
    37. For OpenLDAP, start by copying rui_slapd.crt, rui_slapd.key, and a copy of the cachain.pem file as created in step 4 of this section to the /ssl/slapd directory on the vCenter Server Appliance.
    38. Rename rui_slapd.crt to slapd.crt by running the command:mv rui_slapd.crt slapd.crt
    39. Rename rui_slapd.key to slapd.key by running the command:mv rui_slapd.key slapd.key
    40. Create the slapd-ca-cert.pem file by running the command:cp cachain.pem slapd-ca-cert.pem
    41. Create the .pfx file by running the command:openssl pkcs12 –export –out slapd.pfx –in slapd.crt -inkey slapd.key –name rui –passout pass:testpassword
    42. Copy slapd.key, slapd.crt, slapd.pfx, and slapd-ca-cert.pem to the /etc/openldap/ssl directory with the cp command.
    43. Change the permissions on the files by running these commands:chmod 400 slapd-ca-cert.pem slapd.key slapd.pfx
      chmod 644 slapd.crt
      chown ldap:root slapd.*
    44. Run these commands to restart the service and ensure that it is registered:
      service vmware-vpxd stop
      service vmware-vpxd start
      When complete, these files have been replaced:/etc/openldap/ssl/slapd-ca-cert.pem
      /etc/openldap/ssl/slapd.crt
      /etc/openldap/ssl/slapd.key
      /etc/openldap/ssl/slapd.pfx
    45. For VAMI, start by copying the rui_vami.crt, rui_vami.key, and a copy of the cachain.pem file as created in step 4 of this section to the /ssl/vami direcory on the vCenter Server Appliance.
    46. Rename rui_vami.crt to vami.crt by running the command:mv rui_vami.crt vami.crt
    47. Rename rui_vami.key to vami.key by running the command:mv rui_vami.key vami.key
    48. Create the vami-ca-cert.pem file by running the command:cp cachain.pem vami-ca-cert.pem
    49. Create the .pfx file by running the command:openssl pkcs12 –export –out vami.pfx –in vami.crt -inkey vami.key –name rui –passout pass:testpassword
    50. Unregister the service from vSphere SSO by running the commands:cd /etc/vmware-sso/register-hooks.d
      ./10-vami --mode uninstall --ls-server https:// server.domain.com:7444/lookupservice/sdk
    51. Copy vami.key, vami.crt, vami.pfx, and vami-ca-cert.pem to the /etc/vmware-sso/keys directory with the cp command.
    52. Change the permissions on the files by running these commands:chmod 400 vami-ca-cert.pem vami.key vami.pfx
      chmod 644 vami.crt
    53. Run these commands to re-register the vami service to SSO:cd /etc/vmware-sso/register-hooks.d
      ./10-vami --mode install --ls-server https:// server.domain.com:7444/lookupservice/sdk --user root --password password_of_root user
    54. Restart the vCenter Server appliance.When complete, these files have been replaced:/etc/vmware-sso/keys/vami-ca-cert.pem
      /etc/vmware-sso/keys/vami.crt
      /etc/vmware-sso/keys/vami.key
      /etc/vmware-sso/keys/vami.pfx
    55. Unregister the service from SSO by running the commands:cd /etc/vmware-sso/register-hooks.d
      ./09-vmware-logbrowser --mode uninstall --ls-server https:// server.domain.com:7444/lookupservice/sdk
    56. Copy the rui_logbrowser.crt, rui_logbrowser.key, and a copy of the cachain.pem file as created in step 4 of this section to the /ssl/logbrowser directory on the vCenter Server Appliance.
    57. Rename rui_logbrowser.crt to rui.crt by running:mv rui_logbrowser.crt rui.crt
    58. Rename rui_logbrowser.key to rui.key by running the command:mv rui_logbrowser.key rui.key
    59. Create the rui-ca-cert.pem file by running the command:cp cachain.pem rui-ca-cert.pem
    60. Create the .pfx file by running the command:openssl pkcs12 –export –out rui.pfx –in rui.crt -inkey rui.key –name rui –passout pass:testpassword
    61. Copy rui.key, rui.crt, rui.pfx, and rui-ca-cert.pem to the /usr/lib/vmware-logbrowser/conf directory with the cp command.
    62. Change the permissions on the files by running these commands:chmod 400 rui-ca-cert.pem rui.key rui.pfx
      chmod 644 rui.crt
    63. Run these commands to re-register the log browser service to SSO:cd /etc/vmware-sso/register-hooks.d
      ./09-vmware-logbrowser --mode install --ls-server https:// server.domain.com:7444/lookupservice/sdk --user root --password password_of_root user
    64. From the /ssl/vpxd folder (or the location where you stored the VPXD/SSO certificates), run this command to create a .pfx that includes the SSO certificate (rui.crt), SSO key (rui.key), and the CA certificate (cachain.pem):openssl pkcs12 -export -in rui.crt -inkey rui.key -certfile cachain.pem -name "rui" -passout pass:testpassword -out ruiSTS.pfx
    65. Convert this to a JAVA keystore by running the command:keytool -v -importkeystore -srckeystore ruiSTS.pfx -srcstoretype pkcs12 -srcstorepass testpassword -srcalias rui -destkeystore rui.jks -deststoretype JKS -deststorepass changeit -destkeypass changeitNote: Do not change the destination store password from changeit.
    66. Copy the file to the machine that will be used to log into the vSphere Web Client.
    67. Log into the vSphere WebClient as admin@system-domain.
    68. Navigate to Administration > Sign-On and Discovery > Configuration, then click the STS Certificate tab.
    69. Click Edit > Browse.
    70. Navigate to rui.jks.
    71. When prompted, enter changeit as the password and click OK. The rui key chain is shown in the interface.
    72. Click rui.
    73. Click OK.
    74. When prompted for the password, enter changeit. You see another chain added, and the certificate is available in the GUI.
    75. When complete, restart the Log Browser, Inventory, and vpxd services by running the commands:service vmware-inventoryservice stop
      service vmware-inventoryservice start
      service vmware-logbrowser stop
      service vmware-logbrowser start
      service vmware-vpxd stop
      service vmware-vpxd start
      When complete, these files have been replaced:/usr/lib/vmware-logbrowser/conf/rui-ca-cert.pem
      /usr/lib/vmware-logbrowser/conf/rui.crt
      /usr/lib/vmware-logbrowser/conf/rui.key
      /usr/lib/vmware-logbrowser/conf/rui.pfx
    76. For Auto Deploy, start by copying the rui_autodeploy.crt and rui_autodeploy.key to the /ssl/autodeploy directory on the vCenter Server Appliance.
    77. Rename rui_autodeploy.crt to waiter.crt by running the command:mv rui_autodeploy.crt waiter.crt
    78. Rename rui_autodeploy.key to waiter.key by running the command:mv rui_autodeploy.key waiter.key
    79. Copy the waiter.key and the waiter.crt files to /etc/vmware-rbd/ssl.
    80. Change the permissions and ownership on the waiter files by running the commands:chmod 644 waiter.crt
      chmod 400 waiter.key
      chown deploy:deploy waiter.crt waiter.key
    81. Re-register the service to the vCenter Server with the commands:/etc/init.d/vmware-rbd-watchdog stop
      rm /var/vmware/vpxd/autodeploy_registered
      service vmware-vpxd restart
      When complete, these files have been replaced:/etc/vmware-rbd/ssl/rui.crt
      /etc/vmware-rbd/ssl/rui.key

    Additional Information

    If you need to roll back or generate the default certificates:
    1. Go to http://vcenter_ip_address or fqdn:5480.
    2. Click the Admin tab.
    3. Click Toggle certificate setting under Actions.
    4. Restart the vCenter Server Appliance. During the restart, the certificates are regenerated.
    5. Click the Admin tab and disable the Toggle certificate setting.

    See Also

    Mar 09

    Configuring Certificate Authority (CA) signed certificates for vCenter Server Appliance 5.5 (2057223)

    Purpose

    This article guides you though the configuration of Certificate Authority (CA) certificates for the vCenter Server Appliance 5.5. This process addresses common issues during certificate implementation, including configuration steps and pointers to avoid misconfiguration.Note: This article applies specifically to vSphere 5.5. If you are using vSphere 5.1, see Configuring certificates signed by a Certificate Authority (CA) for vCenter Server Appliance 5.1 (2036744).

    Resolution

    Managing CA-signed certificates for the vCenter Server Appliance is a complex task. In many organizations it is required to maintain proper security for regulatory requirements.These workflows are required for successful implementation:

    These steps must be followed to ensure successful implementation of a custom certificate for vCenter Server Appliance. Before attempting these steps, ensure that:

    Requirements for the certificates used by vCenter Server Appliance

    • Key Length – The key length currently must be a maximum of 2048 bytes Before proceeding, confirm from key file (PEM encoded).
    • Key File Format – Only PKCS1 is supported by all components. Make sure the base64 encoded key is in PKCS1 format. You may get RSA private keys in PKCS8 format when using some OpenSSL commands; the signal of the PKCS8 key is:----- BEGIN PRIVATE KEYFor PKCS1, it is:----- BEGIN RSA PRIVATE KEYOpen the key file to correct it. If it is in PKCS8 format, run this command to convert it to PKCS1:openssl rsa -in pk8.key -out pk1.key
    • Cert File Format – Only some components support the PEM format of cert file. Make sure your cert file can be loaded by all components. Remove everything before the -----BEGIN CERTIFICATE to ensure that this is the first line of the file.
    • Certificate content – The commonName field in the Subject must be the hostname. The Subject Alternative Name subjectAltname must include the host FQDN and IP address. Otherwise, un-registering the Inventory service from SSO fails.
    • Elliptic Curve Keys – These are not currently supported.

    Generating the certificate requests

    For each component of the vCenter Server Appliance, you must have a custom certificate that has a unique Subject Distinguished Name encoded within the certificate.

    Note: A unique organizationUnitName (OU) is not essential, but it is recommend by VMware; the requirement for proper certificate requests and therefore certificate generation is for a unique Subject Distinguished Name. The OU is just a part of the distinguished name (DN), and having a unique OU is one way to achieve a unique DN, but it is not the only method.

    This means that four different certificates are required for each vCenter Server Appliance:

    • vCenter Server / vCenter Single Sign-On (SSO)
    • vCenter Inventory Service
    • VMware Log Browser
    • vSphere AutoDeploy

    Note: The vSphere Web Client and the Virtual Appliance Management Infrastructure (VAMI) use the same SSL certificate as vCenter Server. vSphere Auto Deploy does not register a solution user and does not require a unique certificate (the vCenter vServer certificate can be safely reused); however, the steps provided will install a unique certificate.

    To simplify the process, this article provides the steps to create different openssl.cfg files for each component.

    This article uses /ssl/service to store all of the files on the vCenter Server Appliance before the certificates are installed. This article also uses C:\Certs to store all files on the system creating the certificate requests and certificate generation before uploading to the vCenter Server Appliance.

    To generate the appropriate configuration files:

    1. On the system where you are generating the certificates, create a folder in which you can store the certificates for the difference components. These steps use the C:\Certs folder.
    2. In the C:\Certs folder, create three other folders to organize your certificate requests. These steps use these four folders:
      • vCenterSSO
      • InventoryService
      • LogBrowser
      • AutoDeploy
    3. Open a text editor on the system where OpenSSL is installed.
    4. Create an OpenSSL configuration file for each service.A sample configuration file appears similar to:[ req ]
      default_md = sha512
      default_bits = 2048
      default_keyfile = rui.key
      distinguished_name = req_distinguished_name
      encrypt_key = no
      prompt = no
      string_mask = nombstr
      req_extensions = v3_req
      input_password = testpassword
      output_password = testpassword
      [ v3_req ]
      basicConstraints = CA:false
      keyUsage = digitalSignature, keyEncipherment, dataEncipherment
      extendedKeyUsage = serverAuth, clientAuth
      subjectAltName = DNS:vcva55, IP: 10.0.0.10, IP:ServerIPv6Address, DNS: vcva55.vmware.com[ req_distinguished_name ]
      countryName = US
      stateOrProvinceName = NY
      localityName = New York
      0.organizationName = VMware
      organizationalUnitName = vCenterApplianceUniqueServer
      commonName = vcva55.vmware.comPaste this text into the file, replacing the information in red where appropriate.Note: The country name is always the two-digit country code for the country.Steps 4 to 9 discuss the changes that need to be made in each certificate file.
    5. Save the file as openssl_generic.cfg in c:\certs\ .Note: If you are not using IPv6 in your environment, this can be omitted from the subjectAltName.
    6. For the VirtualCenter Server Service configuration file, modify the organizationalUnitName to VMware vCenter Service Certificate and save the file as openssl_vpxd.cfg in c:\certs\vCenterSSO\.[ req ]
      default_md = sha512
      default_bits = 2048
      default_keyfile = rui.key
      distinguished_name = req_distinguished_name
      encrypt_key = no
      prompt = no
      string_mask = nombstr
      req_extensions = v3_req
      input_password = testpassword
      output_password = testpassword[ v3_req ]
      basicConstraints = CA:false
      keyUsage = digitalSignature, keyEncipherment, dataEncipherment
      extendedKeyUsage = serverAuth, clientAuth
      subjectAltName = DNS:server, IP:ServerIPv4Address, IP:ServerIPv6Address, DNS:server.domain.com[ req_distinguished_name ]
      countryName = Country
      stateOrProvinceName = State
      localityName = City
      0.organizationName = Organization Name
      organizationalUnitName = VMware vCenter Service Certificate
      commonName = server.domain.com
    7. For the vCenter Inventory Service configuration file, modify the organizationalUnitName to VMware Inventory Service Certificate and save the file as openssl_inventoryservice.cfg in c:\certs\InventoryService\.[ req ]
      default_md = sha512
      default_bits = 2048
      default_keyfile = rui.key
      distinguished_name = req_distinguished_name
      encrypt_key = no
      prompt = no
      string_mask = nombstr
      req_extensions = v3_req
      input_password = testpassword
      output_password = testpassword[ v3_req ]
      basicConstraints = CA:false
      keyUsage = digitalSignature, keyEncipherment, dataEncipherment
      extendedKeyUsage = serverAuth, clientAuth
      subjectAltName = DNS:server, IP:ServerIPv4Address, IP:ServerIPv6Address, DNS:server.domain.com[ req_distinguished_name ]
      countryName = Country
      stateOrProvinceName = State
      localityName = City
      0.organizationName = Organization Name
      organizationalUnitName = VMware Inventory Service Certificate
      commonName = server.domain.com
    8. To create the VMware Log Browser configuration file, modify the organizationalUnitName to VMware LogBrowser Service Certificate and save the file as openssl_logbrowser.cfg in c:\certs\LogBrowser\.[ req ]
      default_md = sha512
      default_bits = 2048
      default_keyfile = rui.key
      distinguished_name = req_distinguished_name
      encrypt_key = no
      prompt = no
      string_mask = nombstr
      req_extensions = v3_req
      input_password = testpassword
      output_password = testpassword[ v3_req ]
      basicConstraints = CA:false
      keyUsage = digitalSignature, keyEncipherment, dataEncipherment
      extendedKeyUsage = serverAuth, clientAuth
      subjectAltName = DNS:server, IP:ServerIPv4Address, IP:ServerIPv6Address, DNS:server.domain.com[ req_distinguished_name ]
      countryName = Country
      stateOrProvinceName = State
      localityName = City
      0.organizationName = Organization Name
      organizationalUnitName = VMware LogBrowser Service Certificate
      commonName = server.domain.com
    9. To create the vSphere Auto Deploy configuration file, modify the organizationalUnitName to VMware vSphere Autodeploy Service Certificate and save the file as openssl_autodeploy.cfg in c:\certs\AutoDeploy\.[ req ]
      default_md = sha512
      default_bits = 2048
      default_keyfile = rui.key
      distinguished_name = req_distinguished_name
      encrypt_key = no
      prompt = no
      string_mask = nombstr
      req_extensions = v3_req
      input_password = testpassword
      output_password = testpassword[ v3_req ]
      basicConstraints = CA:false
      keyUsage = digitalSignature, keyEncipherment, dataEncipherment
      extendedKeyUsage = serverAuth, clientAuth
      subjectAltName = DNS:server, IP:ServerIPv4Address, IP:ServerIPv6Address, DNS:server.domain.com[ req_distinguished_name ]
      countryName = Country
      stateOrProvinceName = State
      localityName = City
      0.organizationName = Organization Name
      organizationalUnitName = VMware vSphere Autodeploy Service Certificate
      commonName = server.domain.com

    When complete, there are three different configuration files each with a different organizationalUnit Name. Next, generate the certificate request and corresponding key for each of the certificates.

    To generate a certificate request:

    1. Launch a command prompt and navigate into the OpenSSL directory as previously configured in the Configuring OpenSSL article.By default, the OpenSSL directory is located at:C:\OpenSSL-Win32\bin
    2. Run this command to create the vCenter Server and vCenter Single Sign-On certificate request and export the private key:openssl req -new -nodes -out c:\certs\vCenterSSO\rui_vpxd.csr -keyout c:\certs\vCenterSSO\rui_vpxd.key -config c:\certs\vCenterSSO\openssl_vpxd.cfg
    3. Run this command to create the vCenter Inventory Service certificate request and export the private key:openssl req -new -nodes -out c:\certs\InventoryService\rui_inventoryservice.csr -keyout c:\certs\InventoryService\rui_inventoryservice.key -config c:\certs\InventoryService\openssl_inventoryservice.cfg
    4. Run this command to create the vSphere Log Browser certificate request and export the private key:openssl req -new -nodes -out c:\certs\LogBrowser\rui_logbrowser.csr -keyout c:\certs\LogBrowser\rui_logbrowser.key -config c:\certs\LogBrowser\openssl_logbrowser.cfg
    5. Run this command to create the vSphere AutoDeploy certificate request and export the private key:openssl req -new -nodes -out c:\certs\AutoDeploy\rui_autodeploy.csr -keyout c:\certs\AutoDeploy\rui_autodeploy.key -config c:\certs\AutoDeploy\openssl_autodeploy.cfg

    After running these commands, you now have the rui_service.csr and rui_service.key files located in each respective directory.

    When the certificate requests are created, proceed to the Getting the certificates section.

    Getting the certificates

    After the certificate requests are generated, they must be given to the certificate authority for generation of the actual certificate. The authority responds with a signed certificate and, if appropriate, a copy of their root certificate. For the certificate chain to be trusted, the root certificate must be installed on the server which is requesting the certificate.

    Follow the appropriate section for the certificate authority used.

    If you are using commercial non-Microsoft CAs:

    1. Take each certificate signing request (rui.csr, as generated above) and send them to the commercial certificate signing authority.
    2. The CA sends back the generated certificates and the certificate chain file (normally a .PEM file) to ensure that the certificates are trusted.
    3. Proceed to the Installation and configuration of the certificates section of this article to complete the configuration of the custom certificates.

    If you are using a Microsoft CA:

    1. Log in to the Microsoft CA certificate authority web interface. By default, it is:http://servername/CertSrv/
    2. Click the Request a certificate link.
    3. Click advanced certificate request.
    4. Click the Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file link.
    5. Open the certificate request (rui_service.csr, as generated above for each component) in a plain text editor and paste this text into the Saved Request box:-----BEGIN CERTIFICATE REQUEST----- to -----END CERTIFICATE REQUEST-----
    6. Select the Certificate Template as Web Server.Note: VMware recommends that you create a copy of the Web Server Certificate and add the Subject Alternative Name field to it. This allows you to specify more than a single name to be valid on the certificate, such as vcenter.domain.com and vcenter. Users can connect to more than one name and communication will still be valid.
    7. Click Submit to submit the request.
    8. Click Base 64 encoded on the Certificate issued screen.
    9. Click the Download Certificate link.
    10. Save the certificate as rui_service.crt, in the appropriate c:\certs\<service>\ folder.For example:rui_vpxd.crtNotes:
      • Before proceeding, confirm that the three key usages are present on the .crt file by viewing its properties. This can be found by opening the rui.crt, clicking the Details tab, and locating the Key Usage row under Field. The default install of Windows Server 2008 with the CA role will not create *.crt files properly. You must first modify the digitalSignature,  keyEncipherment, and dataEncipherment fields on the CA server’s Web Server template before continuing. For more information, see Creating a Microsoft Certificate Authority Template for SSL certificate creation in vSphere 5.x (2062108).
      • By default, Microsoft CA certificates are generated with the .cer format. Either use Save As or change it to .crt before continuing with this procedure.
    11. Repeat Steps 2 to 10 for each of the additional service.
    12. Navigate back to the home page of the certificate server and click Download a CA certificate, certificate chain or CRL.
    13. Click the Base 64 option.
    14. Click the Download CA Certificate chain link.
    15. Save the certificate chain as cachain.p7b in the c:\certs\ directory.

    When complete, you have four certificates (rui_service.crt) for each of the services and the either the cachain.pem (for non-Microsoft CA providers) or the cachain.p7b (if the certificates are generated using a Microsoft CA) file generated in their respective c:\certs\<services> folders. Proceed to the Installation and configuration of the certificates section to complete the configuration of the custom certificates.

    Installation and configuration of the certificates for all the components

    After the certificates are created, you must validate that the certificates are in the proper format. Edit the certificate with a tool such as Notepad or vi and validate that the file begins with -----BEGIN CERTIFICATE-----. Remove all text before the -----BEGIN CERTIFICATE----- in the rui.crt files.

    To complete the installation and configuration of the certificates in the vCenter Server Appliance:

    Note: Before proceeding, ensure you back up the existing rui.crt, rui.key, and rui.pfx files.

    1. Connect to the vCenter Server Appliance via SSH.
    2. Stop the VMware VirtualCenter Server service and the vCenter Single Sign-On service using these commands:service vmware-stsd stop
      service vmware-vpxd stop
    3. Create a directory using the mkdir command to store the files. This article uses directories named /ssl/service on the vCenter Server Appliance for the file operations. Be sure to create the appropriate directories as you proceed through the article. Use these models as examples:mkdir ssl
      mkdir ssl/vpxd
      mkdir ssl/inventoryservice
      mkdir ssl/logbrowser
      mkdir ssl/autodeploy
    4. Using WinSCP from the system you created all of the SSL certificates on, copy rui_vpxd.crt, rui_vpxd.key, and cachain.p7b file from c:\certs\vCenterSSO to the /ssl/vpxd directory on the vCenter Server Appliance.Note: In this step, ignore the cachain.p7b file if the certificate is obtained using a non-Microsoft CA..
    5. Rename rui_vpxd.crt to rui.crt by running the command:cp ssl/vpxd/rui_vpxd.crt ssl/vpxd/rui.crt
    6. Rename rui_vpxd.key to rui.key by running the command:cp ssl/vpxd/rui_vpxd.key ssl/vpxd/rui.key
    7. From the vCenter Server Appliance, run the following commands to convert the cachain.p7b file to chain.pem:cd ssl/vpxd/openssl pkcs7 -print_certs -in cachain.p7b -out cachain.pemNote: This step can be ignored if the certificate is obtained using a non-Microsoft CA..
    8. Open the cachain.pem file with VI editor. For more information, see Editing files on an ESX host using vi or nano (1020302).
    9. Using VI editor, remove any text before the first “-----BEGIN CERTIFICATE-----” and after “—–END CERTIFICATE—–“.Note: This assumes there are no intermediate certificates in the Certificate Authority. If you are using two or more levels in the Certificate Authorities, remove any text in between the —–END CERTIFICATE—– of the intermediate thumbprint and -----BEGIN CERTIFICATE----– of the Root CA thumbprint. Before editing, review the chain.pem file to ensure all intermediates and the Root CA server thumbprints are present. If the file does not contain the authority certificate, obtain it from the Certification Authority and append it manually.This should result in a concatenated file similar to the model below:—–BEGIN CERTIFICATE—–
      Thumbprint Intermediate(n) CA Server
      —–END CERTIFICATE—–
      —–BEGIN CERTIFICATE—–
      Thumbprint Intermediate(2) CA Server
      —–END CERTIFICATE—–
      —–BEGIN CERTIFICATE—–
      Thumbprint Intermediate(1) CA Server
      —–END CERTIFICATE—–
      —–BEGIN CERTIFICATE—–
      Thumbprint Root CA Server
      —–END CERTIFICATE—–
    10. Create the chain.pem file for vCenter Server service by running the commands:cat rui.crt cachain.pem > chain.pem
    11. Replace the SSL certs by running the command:/usr/sbin/vpxd_servicecfg certificate change chain.pem rui.keyWait until you receive this response:VC_CFG_RESULT = 0Note: The command prints the outcome code using this syntax:VC_CFG_RESULT=CODEStatus code 0 means success. For details on all possible error conditions, see Decoding non-zero VC_CFG_RESULT for failed vpxd_servicecfg certificate changes (2057248).
    12. Ensure the vCenter Single Sign-On service is started before continuing by running the command:service vmware-stsd start
    13. Unregister the vCenter Inventory Service from vCenter Single Sign-On by running the commands:cd /etc/vmware-sso/register-hooks.d./02-inventoryservice --mode uninstall --ls-server https://server.domain.com:7444/lookupservice/sdk
    14. Using WinSCP from the system you created all of the SSL certificates on, copy rui_inventoryservice.crt and rui_inventoryservice.key from c:\certs\InventoryService to the /ssl/inventoryservice directory on the vCenter Server Appliance.
    15. Copy the edited cachain.pem file from Step 9 to the /ssl/inventoryservice directory using the following command:cd
      cp ssl/vpxd/cachain.pem ssl/inventoryservice/
    16. Rename rui_inventoryservice.crt to rui.crt by running the command:cp ssl/inventoryservice/rui_inventoryservice.crt ssl/inventoryservice/rui.crt
    17. Rename rui_inventoryservice.key to rui.key by running the command:cp ssl/inventoryservice/rui_inventoryservice.key ssl/inventoryservice/rui.key
    18. Create the chain.pem file for vCenter Inventory Service by running the commands:cd ssl/inventoryservice
      cat rui.crt cachain.pem > chain.pem
    19. Create the *.pfx file by running the command:openssl pkcs12 -export -out rui.pfx -in chain.pem -inkey rui.key -name rui -passout pass:testpassword
    20. Copy the rui.key, rui.crt, and rui.pfxfiles to the /usr/lib/vmware-vpx/inventoryservice/ssl directory:
      cp rui.key /usr/lib/vmware-vpx/inventoryservice/ssl
      cp rui.crt /usr/lib/vmware-vpx/inventoryservice/ssl
      cp rui.pfx /usr/lib/vmware-vpx/inventoryservice/ssl
    21. Change the permissions on these files by running these commands:cd /usr/lib/vmware-vpx/inventoryservice/ssl/
      chmod 400 rui.key rui.pfx
      chmod 644 rui.crt
    22. Run these commands to register the vCenter Inventory Service back to vCenter Single Sign-On:cd /etc/vmware-sso/register-hooks.d./02-inventoryservice –mode install –ls-server https://server.domain.com:7444/lookupservice/sdk –user sso_administrator –password sso_administrator_passwordNote: As there is a plain-text password on the above command, to avoid the history file showing the contents of the password because it is in plain text in the command above, run the unset HISTFILE command prior to executing step 22.Note: The default SSO administrator username for vCenter Single Sign-On 5.5 is administrator@vSphere.localAfter a successful registration, you see output similar to:Logbrowser Successful Reg
    23. To re-register the vCenter Inventory Service to vCenter Server the next time the service starts, run this command:rm /var/vmware/vpxd/inventoryservice_registered
    24. Run these commands to restart and register the service:service vmware-inventoryservice stop
      service vmware-vpxd stop
      service vmware-inventoryservice start
      service vmware-vpxd start
    25. Unregister the VMware Log Browser service from vCenter Single Sign-On by running the commands:cd /etc/vmware-sso/register-hooks.d./09-vmware-logbrowser –mode uninstall –ls-server https://server.domain.com:7444/lookupservice/sdk
    26. Using WinSCP from the system you created all of the SSL certificates on, copy the rui_logbrowser.crt, rui_logbrowser.key from c:\certs\LogBrowser to the /ssl/logbrowser directory on the vCenter Server Appliance
    27. Copy the edited cachain.pem file from Step 9 to the /ssl/logbrowser directory using the following commands:cdcp ssl/vpxd/cachain.pem ssl/logbrowser
    28. Rename rui_logbrowser.crt to rui.crt by running the command:cp ssl/logbrowser/rui_logbrowser.crt ssl/logbrowser/rui.crt
    29. Rename rui_logbrowser.key to rui.key by running the command:cp ssl/logbrowser/rui_logbrowser.key ssl/logbrowser/rui.key
    30. Create the chain.pem file for VMware Log Browser Service by running the commands:cd ssl/logbrowsercat rui.crt cachain.pem > chain.pem
    31. Create the *.pfx file by running the command:openssl pkcs12 -export –out rui.pfx –in chain.pem -inkey rui.key –name rui –passout pass:testpassword
    32. Copy rui.key, rui.crt, and rui.pfx files to the /usr/lib/vmware-logbrowser/conf directory:cp rui.key /usr/lib/vmware-logbrowser/conf
      cp rui.crt /usr/lib/vmware-logbrowser/conf
      cp rui.pfx /usr/lib/vmware-logbrowser/conf
    33. Change the permissions on the files by running these commands:cd /usr/lib/vmware-logbrowser/conf
      chmod 400 rui.key rui.pfx
      chmod 644 rui.crt
    34. Run these commands to re-register the VMware Log Browser service to vCenter Single Sign-On:cd /etc/vmware-sso/register-hooks.d./09-vmware-logbrowser –mode install –ls-server https://server.domain.com:7444/lookupservice/sdk –user sso_administrator –password sso_administrator_passwordNote: The default SSO administrator username for vCenter Single Sign-On 5.5 is administrator@vSphere.localA successful registration will output the following:
    35. When complete, restart the Log Browser service by running the commands:service vmware-logbrowser stop
      service vmware-logbrowser start
      Note: If you plan to skip the replacement of certificates for any of the components, such as vSphere Auto Deploy, you must restart the vCenter Server Appliance after the last certificate is replaced/services restarted. Proceed to step 40.
    36. Using WinSCP from the system you created all of the SSL certificates on, copy the rui_autodeploy.crt and rui_autodeploy.key from c:\certs\AutoDeploy to the /ssl/autodeploy directory on the vCenter Server Appliance.
    37. Copy the rui_autodeploy.crt and rui_autodeploy.key to the /etc/vmware-vpx/ssl/ directory: cd
      cp ssl/autodeploy/rui_autodeploy.crt /etc/vmware-rbd/ssl/waiter.crt
      cp ssl/autodeploy/rui_autodeploy.key /etc/vmware-rbd/ssl/waiter.key
    38. Change the permissions and ownership on the waiter files by running these commands:cd /etc/vmware-rbd/ssl/
      chmod 644 waiter.crt
      chmod 400 waiter.key
      chown deploy:deploy waiter.crt waiter.key
    39. Re-register the service to the vCenter Server with the commands:
      service vmware-rbd-watchdog stop
      rm /var/vmware/vpxd/autodeploy_registered
      service vmware-vpxd restart
    40. Restart the vCenter Server Appliance. For more information, see Stopping, starting, or restarting vCenter Server Appliance services (2054085).

    Additional Information

    To roll back or generate the default certificates:

    1. Go to http://vcenter_ip_address or http://fqdn:5480.
    2. Click the Admin tab.
    3. Click Toggle certificate setting under Actions.
    4. Restart the vCenter Server Appliance. During the restart, the certificates are regenerated.
    5. Click the Admin tab and disable the Toggle certificate setting.

    See Also