VMware has released a tool to make it easier to handle the installation of the certificates for the vCenter components. Before this tool it was a lot of work to install and configure certificates for vCenter SSO, Inventory, UpdateManager, Logbrowers and many more.
This blog will guide you through the process of setting up the requirements to install the certificates with the new tool.
This blog will describe the steps to use the automation tool only with use of knowledge found in the blog mentioned above for creation of the files you need. So the credits for the process up to the tool are for Derek Seaman.
Setup the files
First step is to set up all the files you will need to request the certificate.
I’ve created a Cert folder in C:OpenSSL and created a folder for each service that needs a certificate.
Next I created a .CFG file in each folder with the following contents. The highlighted text is the one you need to customize according to your needs.
Now we can start using the Automation tool, finally.
First you have to edit the SSL-Environment.bat to set the parameters. Edit the highlighted parameters.
rem # Parameters for updating the vCenter Orchestrator SSL Certificate
rem # vco_cert_chain
rem # REQUIRED. Specifies a file containing the new SSL certificate chain for
rem # vCenter Orchestrator Server and Configuration Service. See the
rem # comment at the beginning of this file for details about the chain
rem # file format.
rem # Example:
rem # vco_cert_chain=C:OpenSSLcertsorchestratorchain.pem
rem # vco_private_key
rem # REQUIRED. Specifies a file containing the new SSL private key for
rem # vCenter Orchestrator Server and Configuration Service.
rem # See the comment at the beginning of this file
rem # for details about the private key file format.
rem # Example:
rem # vco_private_key=C:OpenSSLcertsorchestratorrui.key
Some other paramaters have to be set
rem # * HA_Failover : indicates a secondary (failover) node of a HA cluster. Only
rem # select this option if you have configured a load-balancer with SSL
rem # termination. If you have installed in HA mode but still haven’t configured
rem # a load balancer, or if you are using load-balancer without SSL termination,
rem # then answer Single.
rem # The following parameters are optional and only have effect if sso_node_type is HA_<any>.
rem # sso_admin_is_behind_lb
rem # OPTIONAL. Specifies whether the Single Sign-On Administration Service is also
rem # served from the load-balancers. Answer yes or no. If no answer is provided,
rem # the default value is “no”.
rem # N.B. that the Single Sign-On Security Token Service and Single Sign-On Group
rem # Check Service are always presumed to be served by the load-balancer in HA mode.
rem # sso_lb_certificate
rem # OPTIONAL. Specifies a file containing the authority (self-signed) certificate
rem # of the load-balancer. This parameter lets you fix the Lookup Service
rem # records in cases where the load-balancer SSL configuration had been updated.
rem # If no value is provided, the Lookup Service records for the load-balanced
rem # Single Sign-On services are left untouched.
rem # sso_lb_hostname
rem # OPTIONAL. Specifies the load-balancer address (IP or fully-qualified host name).
rem # This parameter lets you fix the Lookup Service records in cases where
rem # the load-balancer address had changed. If no value is provided, the Lookup
rem # Service records for the load-balanced Single Sign-On services are left untouched.
The last parameters are the user accounts. Fill in the sso admin user account and the account to access vCenter.
rem vc_username in the common section should be filled in
rem Common parameters
rem # vc_username
rem # REQUIRED (when specified by a section). Specifies the account
rem # name to use to log in to vCenter Server.
rem # Example:
rem # vc_username=administrator
set vc_username=<DomainDomain admin>
When all of the parameters are set you can run ssl-environment.bat to set the parameters.
There will be no output for this file, it will be finished directly.
Next you need to run ssl-updater.bat.
When you have all files in place (make sure you do) and you have your SSO admin password close by together with a domain admin account you can start updating. If one of those is not close by find them for you will need them too often.
I first clicked “2” to update SSO. After clicking “2” I got the next menu offering me two options. when you go through the whole proces the secondary screen range from 2 to 8 options you need to execute. Follow them one by one.
So here I chose “1” to update the SSO certificate
It will ask you for the locations of the chain and the key, details that are set already so no worry here, just hit enter. It will also ask you for the SSO Admin password so keep it close.
After a while an lengthy output is shown, the last lines say it’s positive. So we go on to the next one.
After the action is completed you return to the main menu and click the next option.
Inventory and so on…
The next one was the inventory service, as you can see there are more tasks to complete.
First a trust needs to be updated and some services are restarted.
After all tasks are done continue to the next, until all tasks are completed.
At the end of this lengthy job your certificates are updated… it’s a hell of a job, take your time and follow the steps. Hope this blog will help you understand the new SSL Automation tool from VMware.
All screenshots however in this blog are original ones, as are the steps taken I used their blogs for a reference partly because when I had to do this task the VMware knowledge base was down the whole morning.