Our environment is now ready for deploying vCenter Server Appliance, whether version 6 or 6.5.
Deploy External PSC
I mount the ISO on the Control Center, and install the Client Integration Plugin if it is vCenter Server Appliance version 6 (since version 6.5 doesn't require that anymore). During the deployment, I choose External PSC, sync the time to the Active Directory domain controller, and enable SSH access. Reference
After the PSC is fully deployed, open the VAMI (https://psc1.domain.com:5480/) and set the root password to never expire, and choose the correct timezone. Open Putty, connect to the PSC, and set the default shell to BASH using the following command (KB article): chsh -s /bin/bash root
Configure VMware CA as Subordinate AD CA
Using Putty, create a new folder: mkdir /tmp/vmca
Launch the Certificate Manager (KB article): /usr/lib/vmware-vmca/bin/certificate-manager
Choose "Replace VMCA Root certificate with Custom Signing Certificate and replace all Certificates". For Machine_SSL_CERT.cfg, set the Name to Machine-SSL. For machine.cfg, set the Name to machine. For vsphere-webclient, set the Name to webclient. For certool, set the name to VAMI-Subordinate.
Save the CSR to /tmp/vmca. Keep Putty session connected, we'll use it again in a second.
Now launch WinSCP, and connect to the external PSC using root credentials. Go to /tmp/vmca and copy vmca_issued_csr.csr to the Control Center machine. Open the file in Notepad, choose Select All, and Copy. Open a web browser and go to http://dc1.domain.com/certsrv and click on Request a Certificate, then Advanced Certificate Request. On the Saved Request paste the copied text in the empty box, and for the Certificate Template, choose "vSphere6.0 VMCA", then Submit. Download the certificate using Base-64-encoded format. Save the file as "PSC-Cert.txt".
Go back to http://dc1.domain.com/certsrv and click on Download a CA certificate, certificate chaing, or CRL, choose Base 64, and click on Download CA certificate. Save the file as "DC1-Cert.txt".
Now open a new Notepad window, and copy the content of PSC-Cert.txt and paste in the empty Notepad file. Save the file as ca.crt but don't close it yet. Next copy the content of DC1-Cert.txt and paste at the end of ca.crt, then save again.
Back to WinSCP, copy ca.crt to /tmp/vmca. Now back to Putty, and choose Continue to importing Custom certificate(s) and key(s) for VMCA Root Signing certificate. For the Certificate, type /tmp/vmca/ca.crt, and for the Key type /tmp/vmca/vmca_issued_key.key. Press Y to confirm the certificate replacement, and wait till the process finishes.
Mount the ISO on the Control Center machine if it is not, and under External Platform Services Controller, choose vCenter Server. Sync the time to the Active Directory domain controller, and enable SSH access.
After the vCenter Server is fully deployed, open the VAMI (https://vc1.domain.com:5480/) and set the root password to never expire, and choose the correct timezone. Open Putty, connect to the vCenter Server, and set the default shell to BASH using the following command (KB article): chsh -s /bin/bash root
Replace VAMI SSL Certificate
For the VAMI (virtual appliance management interface) that we access on port 5480, the SSL certificate hasn't been replaced with a trusted one. To replace it, perform the following steps for both PSC and vCenter Server (KB article):
Using Putty, connect to PSC. If it is version 6, run the following command (not needed if it is version 6.5) : /usr/lib/applmgmt/support/scripts/postinstallscripts/lighttpd-vecs-integration.sh
Now for both version 6 and version 6.5, open WinSCP, and connect to PSC. Copy the ca.crt that we created earlier to /etc/applmgmt/appliance/ directory. Edit the following file: /opt/vmware/etc/lighttpd/lighttpd.conf to add the following line: ssl.ca-file = "/etc/applmgmt/appliance/ca.crt" and save the changes. Now back to Putty, run the following command: /etc/init.d/vami-lighttp restart. The VAMI should receive a new trusted SSL certificate. Repeat the steps for vCenter Server.
The vCenter Server is now running, and all the certificates are trusted. In the next I will open vSphere Web Client and configure other parts of the environment.
No comments:
Post a Comment