Pic1

How to install vSphere Single Sign On 5.5 behind a Load Balancer

Having had major problems setting up vSphere Single Sign-On 5.5 behind a load balancer, i wrote this guide to make it easier for others getting this to work.
I have created this guide based on information from ”VMware® vCenter Serverâ„¢ 5.5 Deploying a centralized vCenter Single Sign-On server with a Network Load Balancer (NLB) Technical Reference”, different forums, and own experience.

You can download the guide in Word format here (Better to use this guide when copy/pasting the commandlines)

In this guide i will use the following hostnames and IP’s:

Description       Hostname    FQDN                              IP
LoadBalancer     SSO             SSO.yourdomain.se        192.168.0.100
SSO Server 1      SSO1           SSO1.yourdomain.se      192.168.0.101
SSO Server 2      SSO2           SSO2.yourdomain.se      192.168.0.102
SSO Server 3      SSO3           SSO3.yourdomain.se      192.168.0.103
SSO Server 4      SSO4           SSO4.yourdomain.se      192.168.0.104

Before you start

Make sure to download the following products:
vCenter Server 5.5.0b Build 1476387
Microsoft Visual C++ 2008 Redist x86
Win32 OpenSSL v0.9.8y
Config File Templates

Set up your Load Balancer with the VIP address SSO.yourdomain.se and the IP 192.168.0.100.
Make sure to set it up with the Load Balancing Method, Least connections.

Log in to the SSO1 server

Do a default installation of Microsoft Visual C++ 2008 Redist x86.
Do a default installation of  Win32 OpenSSL, make sure to install it in C:\OpenSSL.
Create the folder C:\certs\sso.
Create the file C:\certs\sso\sso.cfg based on the following template(Or download it: Config File Templates):

—————————————————————————————————
[req]
default_bits=2048
default_keyfile=rui.key
distinguished_name=req_distinguished_name
encrypt_key=no
prompt=no
string_mask=nombstr
req_extensions=v3_req

[v3_req]
basicConstraints=CA:FALSE
keyUsage=digitalSignature,keyEncipherment,dataEncipherment
extendedKeyUsage=serverAuth,clientAuth
subjectAltName=DNS:SSO1,DNS:SSO1.yourdomain.se,DNS:SSO2,DNS:SSO2.yourdomain.se,DNS:SSO3,DNS:SSO3.yourdomain.se,DNS:SSO4,DNS:SSO4.yourdomain.se,DNS:SSO.yourdomain.se,IP:192.168.0.100

[req_distinguished_name]
countryName=SE
stateOrProvinceName=Vasternorrland
localityName=Sundsvall
0.organizationName=ORG
organizationalUnitName=vCenterSSO
commonName=SSO.yourdomain.se
—————————————————————————————————

Change the bold entries to your specific environment.

Install vCenter Single Sign On, on SSO1

Mount the vSphere installation ISO, and start autorun.exe.
Choose Custom Install->vCenter Single Sign on->Install

  1. Check I Accept the terms in the License Agreement
  2. Check Add yourdomain.se as a native Active Directory identity source.
  3. Choose vCenter Single Sign-On for your First vCenter Server
  4. Enter a password(WARNING! Do not use % or “ in your password, in this guide we will use the password VMware1!)
  5. Enter Sitename(for example VMware-Prod)
  6. Use the default port 7444
  7. Use the default destination folder
  8. Choose install

Install vCenter SSO on SSO2, SSO3 and SSO4

Mount the vSphere installation ISO, and start autorun.exe.
Choose Custom Install->vCenter Single Sign on->Install

  1. Check I Accept the terms in the License Agreement
  2. Check Add yourdomain.se as a native Active Directory identity source.
  3. Choose the second option vCenter Single Sign-On for an additional vCenter Server in an existing site
  4. Provide the partner host name(Primary server), SSO1.yourdomain.se and the password that you created when installing SSO1(VMware1!).
  5. Accept the Partner certificate
  6. Choose the correct Site Name(VMware-Prod)
  7. Leave the default port
  8. Use the default destination folder
  9. Choose install
  10. Repeat these steps for SSO3 and SSO4

Creating the Certificates

  1. Open a Command Promt and type:
    Cd  c:\openssl\bin
  2. Run the following command to create the certificate request:
    openssl req -new -nodes -out c:\certs\sso\rui.csr -keyout c:\certs\sso\rui-orig.key -config c:\certs\sso\sso.cfg
  3. Run the following command to convert the key in to a correct format:
    openssl rsa -in c:\certs\sso\rui-orig.key -out c:\certs\sso\rui.key
  4. Open up your Microsoft Certificate Authority webpage, choose:
           Request a certificate

    • Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file
    • Open up the rui.csr in notepad and paste the content in the Saved Request window.
    • Under Certificate Template, choose Web Server, make sure this template contains Digital Signature, Key Encipherment, Data Encipherment (b0), otherwise this guide will fail later on. KB2062108 describes how to do this.
    • Click Submit to generate the new certificate.
    • Choose Base 64 encoded and click download on the Download Certificate. Save the file as  C:\certs\sso\rui.crt on the SSO1 server.
    • Choose Base 64 encoded and click download on the Download Certificate chain. Save the file as  C:\certs\sso\rui.p7b on the SSO1 server.
  5. Go to the SSO1 server and open up the rui.p7b.
  6. Navigate down to the Certificates folder in the left tree view.
  7. Here you should have 2 or more certificates. The first one should be the certificate issued for you certificate request(rui.crt), the other ones(one or more) is your Root CA cert, like the following picture shows(Click to view full size picture):
     Pic2
    In this picture, there are 2 Root certificates, which means we need to export both of them(Root1.cer, Root2.cer) and merge them into a single Root64.cer file.
    If there is only one Root certificates, you can export the certificate file directly to Root64.cer.
  8. Right click the first Root certificate and choose All Tasks->Export…, choose the option Base-64 encoded X.509 (.CER) and click next.
  9. Save the certificate as C:\certs\sso\Root1.cer(If you have 2 or more certs), or C:\certs\sso\Roo64.cer(if you only have one).
  10. Right click the second Root certificate and choose All Tasks->Export…, choose the option Base-64 encoded X.509 (.CER) and click next.
  11. Save the certificate as C:\certs\sso\Root2.cer
  12. Now its time to merge the two Root certificates into one. Open a Command Promt in C:\certs\sso\ and type(This is only if you have 2 or more certificates):
    copy Root1.cer+Root2.cer Root64.cer.
  13. Run the following to create the archive file (ssoserver.p12) of the certificates and keys(DO NOT CHANGE THE PASSWORDS):
    openssl pkcs12 -export -in c:\certs\sso\rui.crt -inkey c:\certs\sso\rui.key -certfile c:\certs\sso\Root64.cer -name ”ssoserver” -passout pass:changeme -out c:\certs\sso\ssoserver.p12
  14. Change directory to C:\Program Files\Common Files\VMware\VMware vCenter Server – Java Components\bin
  15. Create the Java Key Store(DO NOT CHANGE THE PASSWORDS):
    keytool -v -importkeystore -srckeystore C:\certs\sso\ssoserver.p12 -srcstoretype pkcs12 -srcstorepass changeme -srcalias ssoserver -destkeystore C:\certs\sso\root-trust.jks -deststoretype JKS -deststorepass testpassword –destkeypass testpassword
  16. Add the Root certificate to the Java Keystore(type yes to confirm that you trust the cert):
    keytool -v -importcert -keystore C:\certs\sso\root-trust.jks -deststoretype JKS -storepass testpassword -keypass testpassword -file C:\certs\sso\Root64.cer -alias root-ca
  17. Copy the Java Keystore to the required Java Keystore name:
    copy C:\certs\sso\root-trust.jks C:\certs\sso\server-identity.jks
  18. Now you successfully created all the required certificates.

Configuring the Primary SSO Server, SSO1

  1. Open an elevated command promt and set the following environment variables:
    —————————————————————————————————
    SET JAVA_HOME=C:\Program Files\Common Files\VMware\VMware vCenter Server – Java Components
    —————————————————————————————————
    SET PATH=%PATH%;C:\Program Files\VMware\Infrastructure\VMware\CIS\vmware-sso;%JAVA_HOME%\bin
    —————————————————————————————————
  2. Change folder to c:\OpenSSL\bin and type the following to get the eight digit hexadecimal hash from the Root certificate(ex 9e161419):
    openssl x509 -noout -subject_hash -in C:\certs\sso\Root64.cer
  3. Create the folder c:\ProgramData\VMware\SSL and run the following command:
    copy C:\certs\sso\Root64.cer C:\ProgramData\VMware\SSL\9e161419.0
    Where 9e161419 is your unique Root64 hash number.
  4. Copy the Root64.cer to the ssl folder with the following command:
    more c:\certs\sso\Root64.cer >> C:\ProgramData\VMware\SSL\ca_certificates.crt
  5. Next up you need to create three text files within the C:\certs directory(Or download it: Config File Templates):
    —————————————————————————————————
    C:\certs\admin.properties:
    [service]
    friendlyName=The administrative interface of the SSO server
    version=1.5
    ownerId=
    productId=product:sso
    type=urn:sso:admin
    description=The administrative interface of the SSO server[endpoint0]
    uri=https://SSO.yourdomain.se:7444/sso-adminserver/sdk/vsphere.local
    ssl=c:\certs\sso\Root64.cer
    protocol=vmomi
    —————————————————————————————————
    C:\certs\gc.properties:
    [service]
    friendlyName=The group check interface of the SSO server
    version=1.5
    ownerId=
    productId=product:sso
    type=urn:sso:groupcheck
    description=The group check interface of the SSO server[endpoint0]
    uri=https://SSO.yourdomain.se:7444/sso-adminserver/sdk/vsphere.local
    ssl=c:\certs\sso\Root64.cer
    protocol=vmomi
    —————————————————————————————————
    C:\certs\sts.properties:
    [service]
    friendlyName=STS for Single Sign On
    version=1.5
    ownerId=
    productId=product:sso
    type=urn:sso:sts
    description=The Security Token Service of the Single Sign On server.[endpoint0]
    uri=https://SSO.yourdomain.se:7444/ims/STSService/vsphere.local
    ssl=c:\certs\sso\Root64.cer
    protocol=wsTrust
    —————————————————————————————————
  6. Run the following command to list the vCenter Single Sign-On services:
    ssolscli listServices https://sso1.yourdomain.se:7444/lookupservice/sdk
    (Click to view full size picture)
    Pic3
  7. For each Service, copy the servicename and the GUID, marked in green in the picture. Echo it in cmd to the right file according to the following description:description=The administrative interface of the SSO server = admin_id
    description=The security token service interface of the SSO server = STS_id
    description=The group check interface of the SSO server = gc_id

    So in this case you would type:
    —————————————————————————————————
    echo VMware-Prod:8ad03f8b-160b-4d44-ae2f-9ac8eb9aa8f2 >> C:\certs\sts_id
    —————————————————————————————————
    echo VMware-Prod:b7f43b16-11a3-4656-8d9d-518af768f917 >> C:\certs\gc_id
    —————————————————————————————————
    echo VMware-Prod:e4eb04b4-4313-4366-addb-a058575eb79a >> C:\certs\admin_id
    —————————————————————————————————
  8. Copy the certificates to the VMwareSTS conf folder:
    —————————————————————————————————
    copy c:\certs\sso\ssoserver.p12 c:\ProgramData\VMware\CIS\runtime\VMwareSTS\conf\ssoserver.p12
    —————————————————————————————————
    copy c:\certs\sso\Root64.cer c:\ProgramData\VMware\CIS\runtime\VMwareSTS\conf\ssoserver.crt
    —————————————————————————————————
    copy c:\certs\sso\rui.key c:\ProgramData\VMware\CIS\runtime\VMwareSTS\conf\ssoserver.key—————————————————————————————————
  9. Edit the hostfile and point the VIP address to the SSO1 server IP address:
    notepad C:\Windows\System32\Drivers\etc\hosts
    Add:
    192.168.0.101               sso.yourdomain.se
  10. Update the SSO service with the new settings(password VMware1! is used in the example)
    Do you get an errormessage on the last command, restart the VMwareSTS service and try again. You do this by entering net stop VMwareSTS then net start VMwareSTS.
    —————————————————————————————————
    ssolscli updateService -d https://SSO1.yourdomain.se:7444/lookupservice/sdk -u administrator@vsphere.local -p VMware1! -si C:\certs\gc_id -ip C:\certs\gc.properties
    —————————————————————————————————
    ssolscli updateService -d https://SSO1.yourdomain.se:7444/lookupservice/sdk -u administrator@vsphere.local -p VMware1! -si C:\certs\admin_id -ip C:\certs\admin.properties
    —————————————————————————————————
    ssolscli updateService -d https://SSO1.yourdomain.se:7444/lookupservice/sdk -u administrator@vsphere.local -p VMware1! -si C:\certs\sts_id -ip C:\certs\sts.properties—————————————————————————————————
  11. Restart the VMwareSTS service
    net stop VMwareSTS
    net start VMwareSTS
  12. Run the following command to list the SSO Service, and check that the address under endpoints have the VIP address, SSO.yourdomain.se instead of SSO1.yourdomain.se:
    ssolscli listServices https://SSO1.yourdomain.se:7444/lookupservice/sdk
  13. Finally remove the line you added to the hosts file:
    notepad C:\Windows\System32\Drivers\etc\hosts
    Remove:
    192.168.0.101               sso.yourdomain.se
  14. Now you are finished with the Primary SSO server, SSO1.

Configuring the other SSO nodes, SSO2, SSO3 and SSO4

  1. From SSO2, in Windows Explorer, connect to \\SSO1.yourdomain.se\c$, and copy the folder \\SSO1.yourdomain.se\c$\certs to c:\certs on SSO2. Also copy the folder \\SSO1.yourdomain.se\c$\Programdata\VMware\SSL to C:\ProgramData\VMware\SSL on SSO2.
  2. Open an elevated command promt and set the following environment variables:
    —————————————————————————————————
    SET JAVA_HOME=C:\Program Files\Common Files\VMware\VMware vCenter Server – Java Components
    —————————————————————————————————
    SET PATH=%PATH%;C:\Program Files\VMware\Infrastructure\VMware\CIS\vmware-sso;%JAVA_HOME%\bin
    —————————————————————————————————
  3. Edit the hostfile and point the VIP address to the SSO2 servers IP address:
    notepad C:\Windows\System32\Drivers\etc\hosts
    Add:
    192.168.0.102               sso.yourdomain.se
  4. Copy the      certificates to the VMwareSTS conf folder:
    —————————————————————————————————
    copy c:\certs\sso\ssoserver.p12 c:\ProgramData\VMware\CIS\runtime\VMwareSTS\conf\ssoserver.p12
    —————————————————————————————————
    copy c:\certs\sso\Root64.cer c:\ProgramData\VMware\CIS\runtime\VMwareSTS\conf\ssoserver.crt
    —————————————————————————————————
    copy c:\certs\sso\rui.key c:\ProgramData\VMware\CIS\runtime\VMwareSTS\conf\ssoserver.key
    —————————————————————————————————
  5. Restart the VMwareSTS service
    net stop VMwareSTS
    net start VMwareSTS
  6. Update the SSO service with the new settings(password VMware1! is used in the example)
    —————————————————————————————————
    ssolscli updateService -d https://SSO2.yourdomain.se:7444/lookupservice/sdk -u administrator@vsphere.local -p VMware1! -si C:\certs\gc_id -ip
    C:\certs\gc.properties
    —————————————————————————————————
    ssolscli updateService -d https://SSO2.yourdomain.se:7444/lookupservice/sdk -u administrator@vsphere.local -p VMware1! -si C:\certs\admin_id -ip C:\certs\admin.properties
    —————————————————————————————————
    ssolscli updateService -d https://SSO2.yourdomain.se:7444/lookupservice/sdk -u administrator@vsphere.local -p VMware1! -si C:\certs\sts_id -ip C:\certs\sts.properties
    —————————————————————————————————
  7. Restart the VMwareSTS service again
    net stop VMwareSTS
    net start VMwareSTS
  8. Run the following command to list the SSO Service, and check that the address under endpoints have the VIP address, SSO.yourdomain.se instead of SSO2.yourdomain.se:
    ssolscli listServices https://SSO2.yourdomain.se:7444/lookupservice/sdk
  9. Finally remove line you added to the hosts file:
    notepad C:\Windows\System32\Drivers\etc\hosts
    Remove
    192.168.0.101               sso.yourdomain.se
  10. Repeat this section for SSO3, SSO4 etc.
  11. Complete!

Kommentera