Upgrading to vCenter Single Sign-On 5.5 fails when the SSL certificate is in the PKCS12 format and reports the error: vCenter Single Sign-On Setup Wizard ended prematurely because of an error
search cancel

Upgrading to vCenter Single Sign-On 5.5 fails when the SSL certificate is in the PKCS12 format and reports the error: vCenter Single Sign-On Setup Wizard ended prematurely because of an error

book

Article ID: 307504

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

Symptoms:
  • Cannot upgrade from VMware vCenter Single Sign-On (SSO) 5.1 to 5.5.
  • Upgrading from SSO 5.1 to 5.5 fails after you accept the End User Licensing Agreement.
  • The SSO installer fails and rolls back before you choose an SSO deployment method.
  • Certificate Authority (CA) signed certificates were implemented in your vSphere 5.1 environment.
  • You see the error:

    vCenter Single Sign-On Setup Wizard ended prematurely because of an error

  • In the vim-sso-msi.log file, located at %TEMP%, you see entries similar to:
DEBUG: Error 2863: The control WarnNotDNSResolved on dialog MachineStatusDlg needs the icon Exclaim.ico in size 16x16, but that size is not available. Loading the first available size
The installer has encountered an unexpected error installing this package. This may indicate a problem with this package. The error code is 2863. The arguments are: MachineStatusDlg, WarnNotDNSResolved, Exclaim.ico

Action 13:12:02: MachineStatusDlg. Dialog created
Action 13:12:04: UpgradeDoExportDlg. Dialog created
MSI (c) (24:54) [13:12:06:564]: Doing action: ExtractKeystoreInfo
Action 13:12:06: ExtractKeystoreInfo.
Action start 13:12:06: ExtractKeystoreInfo.
Action ended 13:12:06: ExtractKeystoreInfo. Return value 3.
DEBUG: Error 2896: Executing action ExtractKeystoreInfo failed.
The installer has encountered an unexpected error installing this package. This may indicate a problem with this package. The error code is 2896. The arguments are: ExtractKeystoreInfo, ,
Action ended 13:12:06: SSOWelcomeDlg. Return value 3.
MSI (c) (24:84) [13:12:06:592]: Doing action: FatalError
Action 13:12:06: FatalError.
Action start 13:12:06: FatalError.
Action 13:12:06: FatalError. Dialog created
MSI (c) (24:54) [13:12:15:775]: Doing action: ShowMsiLog
Action 13:12:15: ShowMsiLog.
Action start 13:12:15: ShowMsiLog.
MSI (c) (24:78) [13:12:15:868]: Invoking remote custom action. DLL: C:\Users\SA-VCE~1\AppData\Local\Temp\MSIAA46.tmp, Entrypoint: WixShellExec
MSI (c) (24:EC) [13:12:15:871]: Cloaking enabled.
MSI (c) (24:EC) [13:12:15:871]: Attempting to enable all disabled privileges before calling Install on Server
MSI (c) (24:EC) [13:12:15:873]: Connected to service for CA interface.
Action ended 13:12:16: ShowMsiLog. Return value 1.
Action ended 13:12:16: FatalError. Return value 2.

...

DEBUG: Error 2896: Executing action ExtractKeystoreInfo failed.
The installer has encountered an unexpected error installing this package. This may indicate a problem with this package. The error code is 2896. The arguments are: ExtractKeystoreInfo,

Action ended 12:59:08: SSOWelcomeDlg. Return value 3
MSI (c) (F4: 38) [12:59:08:966]: Doing action: FatalError
Action 12:59:08: FatalError.
Action start 12:59:08: FatalError.
Action 12:59:08: FatalError. dialogue created
MSI (c) (F4: 00) [13:02:04:206]: Doing action: ShowMsiLog
Action 13:02:04: ShowMsiLog.
Action start 13:02:04: ShowMsiLog.


Environment

VMware vCenter Server 5.1.x
VMware vCenter Server 5.5.x

Cause

This issue occurs if the SSL certificate for VMware vCenter Single Sign-On 5.1 is configured in a PKCS12 (*.pfx) format rather than JKS format.

Resolution

This issue is resolved in VMware vCenter Server 5.5.0b, available at VMware Downloads. For more information, see the vCenter Server 5.5.0b Release Notes.

To work around this issue when you do not want to upgrade, convert the SSL certificate for vCenter Single Sign-On 5.1 to JKS format before performing the upgrade. For more information, see:
After converting the SSL certificate, ensure that the server.xml (located at: C:\Program Files\VMware\Infrastructure\SSOServer\conf\) is pointed to JKS.
  1. On the vCenter Single Sign-On system, open the Server.xml file using a text editor.
  2. Locate the two keystoreType entries.

    For example, the entries appear similar to:

    <Connector SSLEnabled="true" clientAuth="true" connectionTimeout="20000" executor="castleThreadPool" keyAlias="rui" keystoreFile="C:\ProgramData\VMware\SSOCERTS\rui.pfx" keystorePass="####" <B>keystoreType="PKCS12" port="7445"protocol="org.apache.coyote.http11.Http11Protocol" scheme="https" secure="true" sslProtocol="TLS" truststoreFile="C:\ProgramData\VMware\SSOCERTS\rui.pfx" truststorePass="####" truststoreType="PKCS12"/>
    <Connector SSLEnabled="true" clientAuth="false" connectionTimeout="20000" executor="castleThreadPool" keyAlias="rui" keystoreFile="C:\ProgramData\VMware\SSOCERTS\rui.pfx" keystorePass="####" <B>keystoreType="PKCS12" port="7444"protocol="org.apache.coyote.http11.Http11Protocol" scheme="https" secure="true" sslProtocol="TLS" truststoreFile="C:\ProgramData\VMware\SSOCERTS\rui.pfx" truststorePass="####" truststoreType="PKCS12"/>

  3. Change the keystoreType entries to "JKS".
For example:

<Connector SSLEnabled="true" clientAuth="true" connectionTimeout="20000" executor="castleThreadPool" keyAlias="rui" keystoreFile="C:\ProgramData\VMware\SSOCERTS\rui.pfx" keystorePass="####" <B>keystoreType="JKS" port="7445"protocol="org.apache.coyote.http11.Http11Protocol" scheme="https" secure="true" sslProtocol="TLS" truststoreFile="C:\ProgramData\VMware\SSOCERTS\rui.pfx" truststorePass="####" truststoreType="PKCS12"/><Connector SSLEnabled="true" clientAuth="false" connectionTimeout="20000" executor="castleThreadPool" keyAlias="rui" keystoreFile="C:\ProgramData\VMware\SSOCERTS\rui.pfx" keystorePass="####" <B>keystoreType="JKS" port="7444"protocol="org.apache.coyote.http11.Http11Protocol" scheme="https" secure="true" sslProtocol="TLS" truststoreFile="C:\ProgramData\VMware\SSOCERTS\rui.pfx" truststorePass="####" truststoreType="PKCS12"/>
                1. Save and close the server.xml file.
                2. Restart the vCenter Single Sign-On Service. For more information, see Stopping, starting, or restarting vCenter services (1003895).
                3. Start the installation of vCenter Single Sign-On 5.5.


                Additional Information

                How to stop, start, or restart vCenter Server services
                Configuring CA signed SSL certificates for VMware vCenter Single Sign-On in vSphere 5.1
                Creating certificate requests and certificates for vCenter Server 5.1 components
                SSL 証明書が PKCS12 形式の場合、vCenter Single Sign-On 5.5 へのアップグレードが失敗し、次のエラーが報告される: vCenter Single Sign-On セットアップ ウィザードがエラーのため途中で終了しました
                如果 SSL 证书采用 PKCS12 格式,则升级到 vCenter Single Sign-On 5.5 失败,并报告错误:由于出现错误,vCenter Single Sign-On 安装向导已提前结束