Changing the vCenter FQDN in VMware Cloud Foundation 9.1
search cancel

Changing the vCenter FQDN in VMware Cloud Foundation 9.1

book

Article ID: 432243

calendar_today

Updated On:

Products

VMware SDDC Manager / VCF Installer VMware Cloud Foundation

Issue/Introduction

As part of a product upgrade, company acquisition, or corporate merger, it may be necessary to update the fully qualified domain names (FQDNs) of vCenters to align with new naming conventions or organizational policies.

When vCenter FQDNs are changed, it is essential to follow the correct procedure and  remediate all components within the VMware Cloud Foundation (VCF) suite to reflect the updated FQDNs—for vCenters deployed as part of workload domains.

⚠️ Changing the vCenter FQDN solely via the vCenter Virtual Appliance Management Interface (VAMI) — without performing remediation steps in SDDC Manager (SDDC-M) and NSX — can result in unpredictable behavior and workflow failures within SDDC Manager.

 

Environment

VMware Cloud Foundation 9.1

Resolution

Pre-Requisites 

  1. If changing FQDN of the management domain vCenter, please ensure that the SDDC Manager local account password is set. This will be required when authenticating with SDDC Manager during remediation. Use below APIs to configure the local account.

    Get Local Account
    Update Local User Password

  2. Update DNS entries to resolve the existing vCenter IP with new FQDN

  3. Change the vCenter FQDN using the vCenter Server VAMI interface (https://<FQDN-of-VCSA>:5480). Follow the detailed steps in this blog post

  4. After changing the vCenter FQDN, make sure to remediate NSX with the new vCenter certificates. Follow the steps listed in this KB to remediate NSX.

  5. Refresh the "ssoserverSign" root certificate in vCenter to regenerate it with the new FQDN. This is required by SDDC Manager for SAML based authentication.

    Refresh a vCenter STS Certificate Using the vSphere Client

Remediate vCenter FQDN change in SDDC Manager.

SDDC Manager remediation must be performed using an API-based approach.

  1. Acquire SAML access token:

    If the FQDN changed is of Workload domain, use below command to get access token:

    accessToken=$(curl -sk https://<sddc-manager-fqdn>/v1/tokens -H 'Content-Type: application/json' -X POST -d '{ "username":"<sso-username>", "password":"<sso-password>"}' | jq -r .accessToken)

    If the FQDN changed is of Management domain, use the SDDC Manager break-glass account to get an access token:

    accessToken=$(curl -sk https://<sddc-manager-fqdn>/v1/tokens -H 'Content-Type: application/json' -X POST -d '{ "username":"admin@local", "password":"<account-password>"}' | jq -r .accessToken)

  2. Get UUID of vCenter to be remediated:

    curl -k -X GET 'https://<sddc-manager-fqdn>/v1/vcenters' -H 'Content-Type: application/json' -H "Authorization: Bearer $accessToken" | jq

    Record the vCenter "id" from the API response

  3. Get TLS Thumbprint for the new vCenter FQDN:

    Use below openssl command to retrieve the TLS thumbprint of the vCenter certificate.

    openssl s_client -connect <new-vcenter-fqdn>:443 </dev/null 2>/dev/null | openssl x509 -noout -fingerprint -sha256

    Response will look something like this. (We only need the Fingerprint value for remediation API)

    sha256 Fingerprint=XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
  4. Execute vCenter FQDN remediate API:

    Use vCenter ID and TLS thumbprint from above API responses.

    curl -ks -X PATCH 'https://<sddc-manager-fqdn>/v1/vcenters/<vcenter-id>/fqdn' \
    -H 'Content-Type: application/json' \
    -H "Authorization: Bearer $accessToken" \
    -d '{
    "newFqdn": "<vcenter-fqdn>",
    "tlsThumbprint": "<Ex: XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX>",
    "adminSsoUsername": "<adminSsoUsername>",
    "adminSsoPassword": "<adminSsoPassword>"
    }' | jq

    This will start an async task to complete the remediation.

  5. Remediation Task status:

    Use task ID from above API response to track the status of the remediation operation.

    curl -ks localhost/v1/tasks/<task-id> -H "Authorization: Bearer $accessToken" | jq


  6. Restart SDDC Manager services:

    After remediation is successful, using the below script, restart all SDDC Manager services. This is required to invalidate and re-populate caches with updated inventory data.

    /opt/vmware/vcf/operationsmanager/scripts/cli/sddcmanager_restart_services.sh

SDDC Manager UI should be accessible after the services are restarted.

Powered by Wolken Software