Validating and correcting errors for an upgraded VMware vCenter Server using the SSL Certificate Automation Tool
Article ID: 307491
Updated On:
Products
VMware vCenter Server
Issue/Introduction
This article provides steps to validate the accuracy of the message the SSL Certificate Automation Tool displays. It provides steps to replace the vCenter Server SSL certificates when using the SSL Certificate Automation Tool when necessary.
Symptoms:
- When running the SSL Certificate Automation Tool, you see a warning similar to:
Warning: Different certificates are being used for SSL and Solution users.
Manual intervention is required. For details, see KB 2048202.
After performing the steps described in the KB article, continue with this operation.
Do you want to continue?
- vCenter Server was upgraded from vCenter Server 5.0 or earlier and SSL certificates were previously replaced for all components.
Environment
VMware vCenter Server 5.5.x
VMware vCenter Server 5.1.x
VMware vCenter Server 5.1.x
Cause
The SSL Certificate Automation Tool automates the process of installing custom certificates for vCenter Server 5.1 environments. In a new installation of vCenter Server including all of the subsequent components, the configuration is simplified.
This issue occurs during upgrades depending on the initial configuration of the system. Inconsistencies are introduced that frequently occur in configurations using non-default certificates that the tool cannot solve without intervention. The SSL Certificate Automation Tool takes into account many of these different situations to prevent failure during the implementation. In certain situations manual intervention is required to ensure successful installation of certificates.
This issue occurs during upgrades depending on the initial configuration of the system. Inconsistencies are introduced that frequently occur in configurations using non-default certificates that the tool cannot solve without intervention. The SSL Certificate Automation Tool takes into account many of these different situations to prevent failure during the implementation. In certain situations manual intervention is required to ensure successful installation of certificates.
Resolution
Before performing any steps to replace the vCenter Server SSL certificates, validate the accuracy of the message the SSL Certificate Automation Tool displays.
When all three of these validation steps are true, proceed with the resolution. If any one of the three steps is not true, ignore the message and select the option to continue the operation with the SSL Certificate Automation Tool.
To validate the accuracy of the message the SSL Certificate Automation Tool displays:
- Verify that the sso.crt, sso.key and sso.pfx files are present. By default, the files are located at:
For Windows 2008: C:\ProgramData\VMware\VMware VirtualCenter\SSL\
For Windows 2003: C:\Documents and Settings\All Users\Application Data\VMware\VMware Virtualcenter\SSL\
- Verify that sso.crt and sso.key are configured in the vpxd.cfg file. By default, the vpxd.cfg file is located at:
For Windows 2008: C:\ProgramData\VMware\VMware VirtualCenter\
For Windows 2003: C:\Documents and Settings\All Users\Application Data\VMware\VMware Virtualcenter\
Look for this text in the vpxd.cfg file:
<solutionUser>
<certificate>C:\ProgramData\VMware\VMware VirtualCenter\ssl\sso.crt</certificate>
<name>vCenterServer_YYYY.MM.DD_######</name>
<privateKey>C:\ProgramData\VMware\VMware VirtualCenter\ssl\sso.key</privateKey>
</solutionUser>
- Verify that there are separate certificates configured for solutionUser and endpoint0 in the vcsso.properties file. By default, the vcsso.properties file is located at C:\Program Files\VMware\Infrastructure\VirtualCenter Server\ssoregtool\.
Look for this text in the vcsso.properties file:
[solutionUser]
name=vCenterServer_YYYY.MM.DD_######
cert=C:\ProgramData\VMware\VMware VirtualCenter\SSL\sso.crt
description=vCenter Server
..
[endpoint0]
uri=https://fqdn.com:443/sdk
ssl= C:\ProgramData\VMware\VMware VirtualCenter\SSL\rui.crt
protocol=vmomi
Use these steps when all three items have been validated in your environment
To resolve this issue when all three items have been validated in your environment, replace the vCenter Server SSL certificates when using the SSL Certificate Automation Tool.
To replace the vCenter Server SSL certificates when using the SSL Certificate Automation Tool:
- Log in to the vCenter Single Sign-On (SSO) server and open a command prompt.
- Set the
JAVA_HOMEenvironment variable, run the command:
vCenter Server 5.1:SET JAVA_HOME=C:\Program Files\VMware\Infrastructure\jrevCenter Server 5.5:
SET JAVA_HOME=C:\Program Files\Common Files\VMware\VMware vCenter Server - Java Components\
Note: This is the default installations path, changes to the path syntax may be required.
- Navigate to the
ssolscli.cmddirectory. By default, this is located at:
vCenter Server 5.1:
C:\Program Files\VMware\Infrastructure\SSOServer\ssolscli\
vCenter Server 5.5:
C:\Program Files\VMware\Infrastructure\VMware\CIS\vmware-sso\
- Run this command to identify service details for the configuration:
ssolscli.cmd listServices https://ssoserver.domain.com:7444/lookupservice/sdk
Wheressoserver.domain.comis the fully qualified domain name of the vCenter SSO Server.
- Locate the vCenter Server service information.
Example service configuration:Service 4
-----------
serviceId={A4EEF3E6-9129-4545-9CD9-3B42F0E29350}:7
serviceName=vCenterService
type=urn:vc
endpoints={[url=https://vcserver.domain.com:443/sdk,protocol=vmomi]}
version=5.1
description=vCenter Server
ownerId=vCenterServer_YYYY.MM.MM_######@System-Domain
productId=<null>
viSite={A4EEF3E6-9129-4545-9CD9-3B42F0E29350}
Note: If there are multiple vCenter Servers listed in the service information, make sure that you are looking at the correct vCenter Server service information by checking the endpoint URL.
- Locate the vCenter Server application user by reviewing the service configuration output. Find the line matching this, from the output referred to in the previous step:
ownerId=vCenterServer_YYYY.MM.MM_######@System-Domain
- Run this command to remove the application user:
ssolscli unregisterSolution -d https://ssoserver.domain.com:7444/lookupservice/sdk -u admin@system-domain -p password -su vCenterServer_YYYY.MM.MM_######
Wheressoserver.domain.comis the fully qualified domain name of the vCenter SSO Server andpasswordis youradmin@system-domainpassword.
Note: Do NOT carry over the @System-Domain from Step 6. ONLY carry over vCenterServer_YYYY.MM.MM_######
- Open Notepad and copy the
serviceIdinformation from the output of step 4 into a new text file. The only text in the file must be the service ID, for example:{A4EEF3E6-9129-4545-9CD9-3B42F0E29350}:7
- Save the file as:
C:\Program Files\VMware\Infrastructure\SSOServer\service.id
- Unregister vCenter Server from the Lookup Service by running this command:
ssolscli unregisterService -d https://ssoserver.domain.com:7444/lookupservice/sdk -u admin@system-domain -p password -si "C:\Program Files\VMware\Infrastructure\SSOServer\service.id"
Wheressoserver.domain.comis the fully qualified domain name of the vCenter SSO Server andpasswordis youradmin@system-domainpassword.
- Log in to vCenter Server and open a command prompt.
- Set the
JAVA_HOMEenvironment variable by running this command:SET JAVA_HOME=C:\Program Files\VMware\Infrastructure\jre
- Navigate to the
vpxd.cfgconfiguration file. By default, this file is located at:
- For Windows 2008:
C:\ProgramData\VMware\VMware VirtualCenter\ - For Windows 2003:
C:\Documents and Settings\All Users\Application Data\VMware\VMware Virtualcenter\
- For Windows 2008:
- Edit the
vpxd.cfgfile in Notepad and remove the lines that reference the solution user certificate.
Remove these lines:<certificate>C:\ProgramData\VMware\VMware VirtualCenter\SSL\sso.crt</certificate>
<privateKey>C:\ProgramData\VMware\VMware VirtualCenter\SSL\sso.key</privateKey>
- Navigate to the
vcsso.propertiesfile. By default, this is located in theC:\Program Files\VMware\Infrastructure\VirtualCenter Server\ssoregtool\folder. - Edit the
vcsso.propertiesfile in Notepad and replace the reference tosso.crtwithrui.crt.
For example, change this:[solutionUser]
name=vCenterServer_YYYY.MM.MM_######
cert=C:\ProgramData\VMware\VMware VirtualCenter\SSL\sso.crt
description=vCenter Server
to:[solutionUser]
name=vCenterServer_YYYY.MM.MM_######
cert=C:\ProgramData\VMware\VMware VirtualCenter\SSL\rui.crt
description=vCenter Server
- Stop the
VMware VirtualCenter Serverservice. - Navigate to the
C:\Program Files\VMware\Infrastructure\VirtualCenter Server\ssoregtool\folder. - Extract the
sso_svccfg.zipfile. - In a command prompt window, navigate to the
C:\Program Files\VMware\Infrastructure\VirtualCenter Server\ssoregtool\folder. - Re-register vCenter Server to vCenter Single Sign-On by running this command:
repoint.cmd configure-vc --lookup-server https://ssoserver.domain.com:7444/lookupservice/sdk --user "admin@System-Domain" --password "password" --openssl-path "C:\Program Files\VMware\Infrastructure\Inventory Service\bin/"
Wheressoserver.domain.comis the fully qualified domain name of the vCenter SSO Server andpasswordis youradmin@system-domainpassword.
Note: If vCenter Server has been installed in a non-default location, use this command:
repoint.cmd configure-vc --lookup-server https://ssoserver.domain.com:7444/lookupservice/sdk --user "admin@System-Domain" --password "password" --openssl-path "C:\Program Files\VMware\Infrastructure\Inventory Service\bin/" --vc-install-dir "D:\Program Files\VMware\Infrastructure\VirtualCenter Server"
--vc-install-dir, is the location where vCenter Server is installed, this example uses the D: drive.
- On vCenter Server, start the
VMware VirtualCenter ServerandVMware VirtualCenter Management Webservicesservices.
After these steps are complete, return to the SSL Certificate Automation Tool and continue with the certificate implementation as shown in the update plan.
Additional Information
Feedback
Yes
No
Powered by
