WilliamLam.com

Seperating Out the vCenter SSO, vSphere Web Client and vCenter Server Services Using the VCSA

by // 12 Comments

The VCSA 5.1 (vCenter Server Appliance) is provided as single virtual appliance that is pre-installed with all the components needed to run a vCenter Server. These components include vCenter SSO (Single Sign-on), Lookup Service, Inventory Service, vSphere Web Client and the vCenter Server itself. In the Windows installer for vCenter Server 5.1, there is an option to install each individual component on a separate machine. How would you go about doing that for the VCSA as all the components are installed on a single machine?

The answer is actually quite simple, you just need to deploy additional VCSA systems and enable the specific component service on each of the VCSA's. I have already written articles covering some of these use cases such as deploying additional vCenter Servers leveraging a common vCenter SSO Server as well as deploying additional vSphere Web Client Servers. The one particular use case that I have not covered is running just the vCenter SSO Server on the VCSA and with this configuration, there is a minor tweak that is required to get things working correctly.Disclaimer: This may not be officially supported by VMware, please use at your own risk.

If you have attempted to configure the VCSA to run just the vCenter SSO service, then you may have seen the following error message "Could not connect to one or more vCenter Server systems" when logging into the vSphere Web Client.

The reason you are seeing this error is due to an invalid configuration found in the vCenter SSO Server and specifically with something called the Lookup Service. The Lookup Service is installed with the vCenter SSO service which can be thought of as a DNS lookup for vSphere components so they can securely find and communicate with each other. Since each VCSA component is registered with the Lookup Service as part of their initial installation and when you only enable the vCenter SSO service, the remainder services will become invalid as they are not running on the same VCSA system.

Un-Registering Services from Lookup Service:

To fix this problem, we just need to identify the services that should not be registered to the Lookup Service in the vCenter SSO Server and unregister them. To view the list of registered services to a particular Lookup Service endpoint, you can use the /usr/lib/vmware-sso/bin/vi_regtool utility with the listServices option found on the VCSA.
To use the utility, you will need to specify either the IP Address and/or Hostname of the vCenter SSO Server which runs the Lookup Service. Here is an example:

/usr/lib/vmware-sso/bin/vi_regtool listServices https://172.30.0.186:7444/lookupservice/sdk

If the command is successful, you should see a list of service endpoints such as the following:

Service 1
-----------
serviceId=local:7
serviceName=vsphere-client-localhost.localdom-eed72307-2dd2-4069-9650-e78a60b549c7
type=urn:com.vmware.vsphere.client
endpoints={[url=https://172.30.0.185:9443/vsphere-client,protocol=vmomi]}
version=5.1
description=vSphere Web Client at 172.30.0.185
ownerId=vsphere-client-localhost.localdom-eed72307-2dd2-4069-9650-e78a60b549c7@System-Domain
productId=
viSite=local

A default VCSA installation contains the following 6 services:

  • vSphere Web Client
  • Security Token Service
  • VMware Log Browser
  • SSO Group Check Service
  • vpxd (vCenter Server)
  • SSO Administration Service

We will need to identify the serviceId which starts with local:# and unregister the vSphere Web Client, VMware Log Browser and the vpxd service which is not running locally on our vCenter SSO Server. To unregister a service, you will need to create a temporarily file which contains the serviceId and use the unregisterService option with the vi_regtool.

Note: Please make sure you identify the correct serviceId before unregistering, else you may potentially run into issues with your VCSA.

Let's say we want to unregister the service that we showed earlier local:7, we would need to run the following two commands:

echo "local:7" > /tmp/serviceid
/usr/lib/vmware-sso/bin/vi_regtool unregisterService -d https://172.30.0.185:7444/lookupservice/sdk -u root -p vmware -si /tmp/serviceid

The first command will "echo" the serviceId into a temporarily file called /tmp/serviceid and the second command will perform the actual un-registration and you will need to specify the root credentials. You will need to repeat this for the other two services and once you have finished un-registering the three services, you can now log back into the vSphere Web Client and the error message should go away (a service restart is not necessary).

Now that you have some background on how to run a standalone vCenter SSO on the VCSA and the minor tweak that is required, how do we go about automating all of this during deployment? For those of you who know me, know that I would not leave my readers hanging without some scripts to assist with this manual work.

Automating Deployment of vCenter SSO, vSphere Web Client & vCenter Server Component:

The following section will describe how to completely automate the deployment of 3 separate VCSA running vCenter SSO + Lookup Service, vSphere Web Client and vCenter Server + Inventory Service as seen in the diagram above.

Step 1 - Deploy 3 VCSA 5.1 and configure basic network connectivity. In my example, I have the following setup:

Component Hostname IP Address
vCenter SSO + LS sso.primp-industries.com 172.30.0.185
vSphere Web Client webclient.primp-industries.com 172.30.0.186
vCenter Server + IS vcenter.primp-industries.com 172.30.0.187

Step 2 - Configure the vCenter SSO by creating the following shell script called configureVCSASSOStandalone.sh

#!/bin/bash

# User configurations

SSO_IP_ADDRESS=172.30.0.186

## DO NOT EDIT BEYOND HERE ##

echo "Configuring SSO..."
/usr/sbin/vpxd_servicecfg sso write embedded

echo "Starting SSO ..."
/etc/init.d/vmware-sso start

echo "Retrieving services registered with Lookupservice and storing in /tmp/ls-services ..."
/usr/lib/vmware-sso/bin/vi_regtool listServices https://${SSO_IP_ADDRESS}:7444/lookupservice/sdk > /tmp/ls-services

VC_SERVICE_ID=$(cat /tmp/ls-services | grep -B3 "type=urn:vc" | awk -F 'serviceId=' '{print $2}' | sed '/^$/d')
WEBCLIENT_SERVICE_ID=$(cat /tmp/ls-services | grep -B3 "type=urn:logbrowser:logbrowser" | awk -F 'serviceId=' '{print $2}' | sed '/^$/d')
LOGBROWSER_SERVICE_ID=$(cat /tmp/ls-services | grep -B3 "type=urn:com.vmware.vsphere.client" | awk -F 'serviceId=' '{print $2}' | sed '/^$/d')

echo "Extracting vCenter Server serviceId: ${VC_SERVICE_ID} ..."
echo "Extracting vSphere Web Client seviceId: ${WEBCLIENT_SERVICE_ID} ..."
echo "Extracting vSphere Log Browser serviceId: ${LOGBROWSER_SERVICE_ID} ..."

echo "Unregistering the local \"vCenter Server\" service from the Lookupservice ..."
echo "${VC_SERVICE_ID}" > /tmp/serviceId
/usr/lib/vmware-sso/bin/vi_regtool unregisterService -d https://${SSO_IP_ADDRESS}:7444/lookupservice/sdk -u root -p vmware -si /tmp/serviceId

echo "Unregistering the local \"vSphere Web Client\" service from the Lookupservice ..."
echo "${WEBCLIENT_SERVICE_ID}" > /tmp/serviceId
/usr/lib/vmware-sso/bin/vi_regtool unregisterService -d https://${SSO_IP_ADDRESS}:7444/lookupservice/sdk -u root -p vmware -si /tmp/serviceId

echo "Unregistering the local \"vSphere Log Browser\" service from the Lookupservice ..."
echo "${LOGBROWSER_SERVICE_ID}" > /tmp/serviceId
/usr/lib/vmware-sso/bin/vi_regtool unregisterService -d https://${SSO_IP_ADDRESS}:7444/lookupservice/sdk -u root -p vmware -si /tmp/serviceId

The only user configuration that is required is to update the SSO_IP_ADDRESS variable in the script to the IP Address of the vCenter SSO Server. You can execute the script via SSH without having to copy the script to the VCSA system, here is an example execution:

We can see from the screenshot above, we automatically look for the 3 services mentioned earlier and unregister it from the vCenter SSO Server running the Lookup Service. You can easily confirm this by re-running the listServices operation with the vi_regtool.

Step 3 - Configure the vSphere Web Client Server and you can use the configureVCSAvSphereWebClientStandalone.sh script noted in this article. The only user configuration that is required is to update the VCENTER_SSO_IPADDRESS variable in the script to point to the IP Address of your vCenter SSO Server. Here is an example execution:

Step 4 - Finally, the last step is to configure the vCenter Server and you can use the configureVCSAExtra.sh script noted in this article. The only user configuration that is required is to update the PRIMARY_VC variable in the script to point to the IP Address of your vCenter SSO Server. Here is an example execution:

Once the vCenter Server has successfully started, then you are now done with seperating out the three components of the vCenter Server using the VCSA. You can confirm additionally by logging back into the vCenter SSO Server and run the listServices and you should now see the IP Address or Hostname of your vSphere Web Client Server and vCenter Server being registered to the Lookup Service from the separate VCSA's. You can now login to the vSphere Web Client server and make sure you specify the full URL which should be https://[hostname-or-ipaddress]:9443/vsphere-client and you should be able to see your vCenter Server.

Note: Steps 3 and 4 can be interchange as the order does not matter, as long as vCenter SSO system is setup first.

VCSA (vCenter Server Appliance) 5.1 VCDB & SSODB Password

by // 2 Comments

I recently helped answer a question internally about the default credentials to the VCSA 5.1 (vCenter Server Appliance) vCenter Server and SSO (Single-Sign On) Database for troubleshooting purposes. I thought I share the details in case this might help others.

With the release of the vSphere 5.1, the VCSA now runs VMware's vPostgres database for both the VCDB and SSODB. You should also know there is no default credentials for the database as the passwords are automatically generated during the initial application install and the database password will be unique on every VCSA.

However, you can still retrieve the password for both the VCDB as well as SSODB (this took a bit of digging in the appliance).

Disclaimer: You should not have any reason to go into the actual DB of either vCenter Server or SSO other than potential troubleshooting with VMware Support. Please use caution if you do choose to connect to the DB, as you can potentially impact your system.

VCDB Credentials:
You can view the credentials for the VCDB in the following file: /etc/vmware-vpx/vcdb.properties

Here is a screenshot of the file content as well as using psql client located on the VCSA (/opt/vmware/vpostgres/1.0/bin/psql) to connect to the VCDB:

SSODB Credentials:
You can view the credentials for the SSODB in the following file: /usr/lib/vmware-sso/webapps/lookupservice/WEB-INF/classes/config.properties

Here is a screenshot of the file content as well as using psql client located on the VCSA to connect to the SSODB:

How to Add/Remove vCenter SSO Identity Sources Using the Command-Line for Windows vCenter Server & VCSA

by // 16 Comments

The new vCenter SSO (Single Sign-On) in vSphere 5.1 can support multiple Identity Sources (Active Directory, OpenLDAP and Local OS) and these configurations can all be managed by using the vSphere Web Client. Here are some additional documentation as well as a video on how to managing Identity Sources using the vSphere Web Client.


However, if you wish to manage the Identity Sources through the command-line for automated deployments, you probably do not want to use the GUI. Luckily, there is a vCenter SSO CLI that you can use on both a Windows deployment as well as on the VCSA (vCenter Server Appliance).

In the examples below, I will show you how to add an Active Directory Identity Source to both a Windows deployment as well as a VCSA deployment using the command-line.

Adding Active Directory Identity Source to Windows vCenter SSO Server

Before getting started, you will need to know the vCenter SSO Administrator password. This is the password that you had configure during the installation of vCenter SSO for the admin@System-Domain account.

Step 1: Change into the C:\Program Files\VMware\Infrastructure\SSOServer\utils directory and you will be using the rsautil command-line tool. To get a list of help options for managing Identity Sources, run the following command:

rsautil manage-identity-sources

Step 2:  Run the following command (substitute the values for your own enviornment) :

rsautil manage-identity-sources -a create -u admin -p !VMware123! -r ldap://fullerene.primp-industries.com --ldap-port 3268 -d primp-industries.com -l PRIMP-IND --principal-base-dn DC=primp-industries,DC=com --group-base-dn DC=primp-industries,DC=com -f "" -L *protected email*

Note: When you login into the vSphere Web Client, the username for the vCenter SSO account is "admin@system-domain" but for the CLI, it is just "admin". If you do not have a failover LDAP Server, specify "" for -f flag.

Here is a screenshot of adding the Active Directory Identity Source:

Step 3: You can also confirm the configurations by performing the "list" operation by running the following command:

rsautil manage-identity-sources -a list -u admin -p !VMware123!

Adding Active Directory Identity Source to VCSA

For the VCSA, there are few additional steps as the vCenter SSO Administrator account "admin" does not contain a default password as noted in this article. You can either follow the instructions in that article to set a password for the "admin" user and then jump to Step 3 OR you can perform all required steps using the command-line.

Step 1: We first need to set the vCenter SSO Master Password as it is required to change the "admin" user account. Since the vCenter SSO Master Password is auto-generated during installation, we will recover the account which will then allow us to set a password of our own choosing. Run the following two commands and in the second command, you will specify the vCenter SSO Master Password of your choice.

source /etc/vmware-sso/keys/recovery.cfg
/usr/lib/vmware-sso/utils/ssowrench manage-secrets -a change -u "$SSO_RECOVERY_USERNAME" -p "$SSO_RECOVERY_PASSWORD" -N vmware123

Note: Do not forget the vCenter SSO Master Password that you have selected, as there is no way to recover the account after this.

Step 2: Now that we have the vCenter SSO Master Password, we can now set a password for the "admin" user. Run the following command and specify the Master Password (-m flag) as well as a new password (-p flag) for the admin (-u flag) user.

/usr/lib/vmware-sso/utils/ssowrench reset-admin-password -u admin -p '!VMware123!' -m vmware123

Step 3: Once we have a password set for the "admin" user, we will be using the same vCenter SSO CLI utility as we did in the Windows vCenter Server deployment but in the VCSA it is called ssowrench and it is located under /usr/lib/vmware-sso/utils

Run the following command which accepts the same set of options as the Windows version (substitute the values for your own enviornment).

/usr/lib/vmware-sso/utils/ssowrench manage-identity-sources -a create -u admin -p '!VMware123!' -r "ldap://fullerene.primp-industries.com" --ldap-port 3268 -d primp-industries.com -l PRIMP-IND --principal-base-dn "DC=primp-industries,DC=com" --group-base-dn "DC=primp-industries,DC=com" -f "" -L *protected email*

Here is a screenshot of adding the Active Directory Identity Source:

Step 4: To view all Identity Sources, you can run the following command (as seen in the screenshot above):

/usr/lib/vmware-sso/utils/ssowrench manage-identity-sources -a list -u admin -p '!VMware123!'

Note: If you do not wish to specify any of the credentials on the command-line, the utility in both Windows and VCSA will automatically prompt for input.