Installing VMware Single-Sign On in a HA Configuration

From VMUG Wiki
Jump to: navigation, search

CONTENT CREATION IN PROGRESS

Contents

Originating Author

Gary Blake

Introduction

This process outlines the steps for performing an end-to-end implementation of vCenter Single Sign-On 5.5 in a Highly Available (HA) configuration; end-to-end for the purpose of this document refers to aspects of the installation relating to the vCenter Single Sign-On services only.

Installation References

The following publications contain supplemental information on implementing some of the components discussed in this document.

  • Creating certificate requests and certificates for vCenter Server 5.5 components (KB 2061934)
  • Deploying and using the SSL Certificate Automation Tool 5.5 (KB 2057340)
  • Generating certificates for use with the VMware SSL Certificate Automation Tool (KB 2044696)
  • Reconfigure the Load Balancer After Upgrading a vCenter Single Sign-On High Availability Deployment to Version 5.5

High Level Process Outline

The installation and configuration of vCenter Single Sign-On 5.5 in a highly available (HA) configuration requires the use of an external load balancer; it also requires that the various components are implemented in the correct sequence. Failing to follow the documented sequence can create unpredictable consequences and/or dependencies on other components where dependencies should not be placed. The following list illustrates the high level process that must be followed:

  1. Environment Preparation
  2. Install Node 1 vCenter Single Sign-on Server
  3. Install Node 2 vCenter Single Sign-on Server
  4. Setup vCenter Single Sign-On System Environment
  5. Create Single Sign-On Certificate Authority Signed Certificates
  6. Update the VMwareSTS Service to Load Balancer Address
  7. Updating Certificates on Node 1 vCenter Single Sign-On Server
  8. Update the Admin & GC Service to Load Balancer Address
  9. Updating Certificates on Node 2 vCenter Single Sign-On Server

Environment Preparation

Before starting the implementation of vCenter Single Sign-On it’s important to ensure that certain elements of the environment are in place and fully functional, the following list identifies these tasks. In order to establish a working highly available vCenter Single Sign-On solution the following must be in place:

  1. Pre-creation of SSO nodes as Virtual Machines
  2. Registration of SSO nodes within a DNS service
  3. Installation of VMware SSL Update tool on both nodes
  4. Configuration of the external load balancer

In addition it’s also worth making a note of key configuration information that is needed throughout the implementation. The following table should be used to capture these environmental specifics that will be used during the installation procedures: Table 1. Environment Configuration Values

Component Hostname FQDN IP Address
SSO Node1 node1 node1.domain.com
SSO Node2 node2 node2.domain.com
Load Balancer Address loadbalance loadbalance.domain.com

Install Node 1 vCenter Single Sign-on Server

Once you have completed all environmental preparation tasks, you are ready to start following the procedure captured here to implement the first node of the vCenter Single Sign-On HA solution.

  1. Launch the VMware vSphere installer by clicking the autorun.exe.
  2. From the VMware vSphere installer menu, select vCenter Single Sign-On. Click Install.
  3. At the ‘Welcome to the vCenter Single Sign-On Setup’ dialog, click Next.
  4. At the ‘End-User License Agreement’ dialog, click the I accept the terms in the License Agreement check box. Click Next.
  5. At the ‘vCenter Single Sign-On Prerequisites Check’ dialog, the install wizard detects the system configuration. Verify that the FQDN and IP Address are correct. By default the Add domain_name as a native Active Directory Identity source check box is enabled. Click Next. NOTE: For large Active Directory domains the installer can appear to hang and eventually timesout and rolls back whilst trying to complete this task, in these situtations uncheck and add the domain at a later stage.
  6. At the ‘vCenter Single Sign-In Information’ dialog for deployment mode, select the vCenter Single Sign-On for your first vCenter Server radio button. Click Next.
  7. At the ‘vCenter Single Sign-In Information’ dialog for account credentials, enter a password for the administrator in the Password text box and Re-enter the password in the Confirm Password text box. Click Next.
  8. At the ‘vCenter Single Sign-On Configure Site’ dialog, enter a unique site name into the Site name text box or accept the default. Click Next.
  9. At the ‘vCenter Single Sign-On Port Settings’ dialog, unless you have a requirement to alter the default HTTPS port, leave the default value of 7444. Click Next. NOTE: The remaining procedures assume that the default port of 7444 is utilized.
  10. At the ‘Change destination folder’ dialog, accept the default path by clicking Next.
  11. At the ‘vCenter Single Sign-On Information’ dialog for install options, review your selections. Click Install.
  12. At the ‘Completed the vCenter Single Sign-On Setup Wizard’ dialog, click Finish.

Install Node 2 vCenter Single Sign-on Server

Once the first node has been installed, you must proceed to performing the installation of the second node, this is performed in much the same way as the first node but with one key alteration in that you must specify a different installation mode. Follow the step-by-step procedure documented to complete the installation of the second node of the vCenter Single Sign-On HA solution.

  1. Launch the VMware vSphere installer by clicking the autorun.exe.
  2. From the VMware vSphere installer menu, select vCenter Single Sign-On. Click Install.
  3. At the ‘Welcome to the vCenter Single Sign-On Setup’ dialog, click Next.
  4. At the ‘End-User License Agreement’ dialog, click the I accept the terms in the License Agreement check box. Click Next.
  5. At the ‘vCenter Single Sign-On Prerequisites Check’ dialog, the install wizard detects the system configuration. Verify that the FQDN and IP Address are correct. Because this the second node in the site, uncheck the Add domain_name as a native Active Directory Identity source check box. Click Next.
  6. At the ‘vCenter Single Sign-On Information’ dialog for deployment types, select vCenter Single Sign-On for an additional vCenter Server in an existing site. Click Next.
  7. At the ‘vCenter Single Sign-On Information’ dialfo for partner information, enter the FQDN of the first node in the Partner host name text box then the password used for the administrator@vsphere.local account in the Password text box, Click Next.
  8. At the ‘Partner certificate’ dialog, click Continue to accept the certificate.
  9. At the ‘vCenter Single Sign-On Join Site’ dialog, use the dropdown menu to select the vCenter Single Sign-On site you with to join. Click Next. NOTE: The site name should match the name specified in Step 8 in the Install Node 1 vCenter Single Sign-On Server section.
  10. At the ‘vCenter Single Sign-On Port Settings’ dialog, unless you have a requirement to alter the default HTTPS port, leave the default value of 7444. Click Next.
  11. At the ‘Change destination folder’ dialog, accept the default path by clicking Next.
  12. At the ‘vCenter Single Sign-On Information’ dialog for install options, review your selections. Click Install.
  13. At the ‘Completed the vCenter Single Sign-On Setup Wizard’ dialog, click Finish.

Setup vCenter Single Sign-On System Environment

During the installation process there are numerous command line tasks that must be performed which by default require you to be positioned within the physical directory; this can be alleviated by simply performing some simple environmental configuration steps within each vCenter Single Sign-On node, the following section provides the steps to perform the following tasks:

  • Configure the JAVA_HOME system variable
  • Add additional paths to the PATH system variable

Perform these steps on both node1 and node2

  1. Launch the system properties by clicking Start. Then right click on Computer and select Properties from the menu.
  2. On the left hand side click Advanced system settings.
  3. At the ‘System Properties’ dialog, click Environment Variables.
  4. At the ‘Environment Variables’ dialog, under User variables for Administrator, click New.
  5. Create a new variable for the java home folder by entering the following details, then click OK.
  • Enter JAVA_HOME in the Variable Name text box
  • Enter the path C:\Program Files\Common Files\VMware\VMware vCenter Server - Java Components in the Variable Value text box
  1. At the ‘Environment Variables’ dialog, under System variables, locate Path. Click Edit.
  2. At the ‘Edit System Variables’ dialog, within the Variable Values text box go to the end and add the following entries with a ; between each and then click OK three times.
  • C:\Program Files\VMware\Infrastructure\VMware\CIS\vmware-sso
  •  %JAVA_HOME%\bin

Create Single Sign-On Certificate Authority Signed Certificates

Now that you have installed both nodes, we must update the SSL Certificates that are being used from Self-Signed to Certificate Authority Signed ones. This process is performed using the following three steps:

  1. Creation of a certificate signing request (.csr) file (This procedure)
  2. Generation of a signed certificate (.crt) (out of scope for this document)
  3. Installation of the signed certificates and certificate authority chain

VMware has written a tool called SSL Updater which can be obtain from the VMware Download Center and is located in the Drivers and Tools section of the vSphere and vCloud Suite download pages. The SSL Updater tool can be used to generate the .csr file for vCenter Single Sign-On but it does not provide the ability to create ‘SubjectAltName’ values, in some scenarios this may be OK as the team providing certificates may ask for this information at request time. However if this is not the case then the following procedure can be followed to manually create the .csr with the ‘SubjectAltName’ values added which is a requirement for the vCenter Single Sign-On HA configuration.

  1. On the first node for vCenter Single Sign-On, create a folder in which you can store the certificates files. These steps use the C:\Certs folder.
  2. In the C:\Certs folder, create an SSO folder to organize your certificate requests and configuration files.
  3. Open a text editor on node1 and create a configuration file using the format provided here, ensure that you alter the text highlighted in red and save the config file to the C:\Certs\SSO folder as:

openssl_sso.cfg [ req ] default_bits = 2048 default_keyfile = rui.key distinguished_name = req_distinguished_name encrypt_key = no prompt = no string_mask = nombstr req_extensions = v3_req

[ v3_req ] basicConstraints = CA:false keyUsage = digitalSignature, keyEncipherment, dataEncipherment extendedKeyUsage = serverAuth, clientAuth subjectAltName = DNS:node1, DNS:node1.domain.com, DNS:node2, DNS:node2.domain name, DNS:loadbalance.domain.com, IP:xxx.xxx.xxx.xxx

[ req_distinguished_name ] countryName = UK stateOrProvinceName = London localityName = London 0.organizationName = VMware organizationalUnitName = vCenter Single Sign On commonName = loadbalance.domain.com

  1. Launch a command prompt and navigate into the OpenSSL bin directory that comes with the VMware SSL Update tool by running the following command: cd \Install_Directory\tools\openssl
  2. Run the following command to create the vCenter Single Sign-On certificate request and export the private key: openssl req -new -nodes -out C:\Certs\SSO\rui.csr -keyout C:\Certs\SSO\rui.key -config C:\Certs\SSO\openssl_sso.cfg
  3. After running these commands, you now have the rui.csr and rui.key files located in C:\Certs\SSO directory. Send the rui.csr to your Certificate Issuing team, they will send you an sso.crt file in return.
  4. Export the CA Root and any intermediate CAs, located the C:\Certs\SSO\lb-sso.crt file. Right click and select Open.
  5. At the ‘Certificate’ dialog, click the Certificate Path tab.
  6. Select the root certificate object and click View Certificate.
  7. Click the Details tab
  8. Click Copy to File.
  9. At the ‘Welcome to the Certificate Export Wizard’ click Next.
  10. At the ‘Export File Format’ dialog, select the Base-64 encoded X.509 (.CER) radio button. Click Next.
  11. At the ‘File to Export’ dialog, enter the path C:\Certs\SSO\root64.cer. Click Next.
  12. At the ‘Completing the Certificate Export Wizard’ dialog, click Finish.
  13. Once the certificate has been exported click OK on the export message Then click OK twice to close the certificate screens.
  14. Open a command prompt and run the following commands to merge the sso.crt and root64.cer file into a .pem file: more C:\Certs\SSO\lb-sso.crt >> C:\Certs\SSO\chain.pem and more C:\Certs\SSO\root64.cer >> C:\Certs\SSO\chain.pem NOTE: If you have intermediate servers then you will need to also export these and add them to the chain.pem file ensuring that the order is service, intermediate CAs, root CA.
  15. Numbered list item

Ensure that both the vCenter Single Sign-On load balance certificate file (.crt) and the root64.cer are provided to the Load Balancer team for upload into their configuration.

Update the VMwareSTS Service to Load Balancer Address

We now need to create some property files ready to perform the update to the load balance address and perform the update of the VMwareSTS service.

1. Open a command prompt and create three empty text files using the following commands: cd \Certs\SSO\ copy con C:\Certs\SSO\sts.properties Press F6 copy con C:\Certs\SSO\admin.properties Press F6 copy con C:\Certs\SSO\gc.properties Press F6

2. Copy the root certificate to the VMware STS folder on both nodes using the following command: copy C:\Certs\SSO\root64.cer C:\ProgramData\VMware\CIS\runtime\VMwareSTS\conf\

3. Edit the sts.properties file in a text editor and enter the details as they appear. Save the file.

[service] friendlyName=The security token service interface of the SSO server version=1.5 ownerId= type=urn:sso:sts description=The security token service interface of the SSO server

[endpoint0] uri=https://loadbalance.domain.com:7444/sts/STSService/vsphere.local ssl=C:\ProgramData\VMware\CIS\runtime\VMwareSTS\conf\root64.cer protocol=wsTrust Edit the admin.properties file in a text editor and enter the details as they appear on the right. Save the file. [service] friendlyName=The administrative interface of the SSO server version=1.5 ownerId= type=urn:sso:admin description= The administrative interface of the SSO server

[endpoint0] uri=https://loadbalance.domain.com:7444/sso-adminserver/sdk/vsphere.local ssl=C:\ProgramData\VMware\CIS\runtime\VMwareSTS\conf\root64.cer protocol=vmomi Edit the gc.properties file in a text editor and enter the details as they appear on the right. Save the file. [service] friendlyName=The group check interface of the SSO server version=1.5 ownerId= type=urn:sso:groupcheck description= The group check interface of the SSO server

[endpoint0] uri=https://loadbalance.domain.com:7444/sso-adminserver/sdk/vsphere.local ssl=C:\ProgramData\VMware\CIS\runtime\VMwareSTS\conf\root64.cer protocol=vmomi

Using the ‘ssolscli’ command, list the SSO services to obtain their service IDs: ssolscli listServices https://node1.domain.com:7444/lookupservice/sdk For each service returned the first field will be displayed as: serviceId=<SSOSiteName>:<thirty two digit hexadecimal value> Using the displayed information in step 6, run the following echo commands to capture the service IDs to a file for use in the service update steps: echo sts-serviceId >> C:\Certs\SSO\sts_id echo admin-serviceId >> C:\Certs\SSO\admin_id echo gc-serviceId >> C:\Certs\SSO\gc_id

NOTE: Updating the services must be performed in the order stated within this document which is sts, admin and the groupcheck. Update the STS service by running the following command: ssolscli updateService -d https://node1.domain.com:7444/lookupservice/sdk -u administrator@vsphere.local -p password -si C:\Certs\SSO\sts_id -ip C:\Certs\SSO\sts.properties Verify that the STS service has been updated to the load balancer address by running the following command: ssolscli listServices https://node1.domain.com:7444/lookupservice/sdk

NOTE: Wait at least 30 seconds to allow the SSO nodes to sync Restart the VMwareSTS service by running the following commands: net stop VMwareSTS net start VMwareSTS

Updating Certificates on Node 1 vCenter Single Sign-On Server

Now we must update the certificates on the first node before we can reconfigure the remaining services otherwise we will get a connection error. This procedure is performed using the SSL Update tool provided by VMware.

  1. Open a command prompt and change to the SSL Tool directory (for this example the files were extract to the C:\SSL-Tool folder. cd \SSL-Tool
  2. Launch the SSL Updater tool by running the following command: ssl-updater.bat You will be presented with the main menu. Press 3, and then Enter.
  3. You are now presented with the ‘Update the Single Sign-On SSL Certificates’ menu Press 1, and then Enter.
  4. You will now be presented with a series of questions; Enter the appropriate responses.
  5. When the process completes you will receive a status message as illustrated ‘Last operation update Single Sign-On SSL certificates completed successfully’ and will be returned to the ‘Update the Single Sign-On SSL Certificates’ menu. Press 3, and then Enter to return to the main menu.
  6. At the main menu, press 9, and then Enter to exit the SSL Update tool.
  7. Verify that the certificate has been updated OK and that the vCenter Single Sign-On services are still running by running the following command: ssolscli listServices https://node1.domain.com:7444/lookupservice/sdk The default three services should be listed with no errors.

Update the Admin & GC Service to Load Balancer Address

We can now complete the update to the Admin and GC Services by performing the following procedures.

  1. Update the Admin service by running the following command: ssolscli updateService -d https://node1.domain.com:7444/lookupservice/sdk -u administrator@vsphere.local -p password -si C:\Certs\SSO\admin_id -ip C:\Certs\SSO\admin.properties
  2. Verify that the Admin service has been updated to the load balancer address by running the following command: ssolscli listServices https://node1.domain.com:7444/lookupservice/sdk NOTE: Wait at least 30 seconds to allow the SSO nodes to sync
  3. Update the Groupcheck service by running the following command: ssolscli updateService -d https://node1.domain.com:7444/lookupservice/sdk -u administrator@vsphere.local -p password -si C:\Certs\SSO\gc_id -ip C:\Certs\SSO\gc.properties
  4. Verify that the Groupcheck service has been updated to the load balancer address by running the following command: ssolscli listServices https://node1.domain.com:7444/lookupservice/sdk NOTE: Wait at least 30 seconds to allow the SSO nodes to sync
  5. Verify that the load balancer address responds with the correct service information by running the following commands: ssolscli listServices https://loadbalance.domain.com:7444/lookupservice/sdk
  6. Verify that the second node address responds with the correct service information by running the following commands: ssolscli listServices https://node2.domain.com:7444/lookupservice/sdk

Updating Certificates on Node 2 vCenter Single Sign-On Server

Finally we can now update the certificates on the second node by following the procedures below.

  1. Copy the C:\Certs\SSO folder from node1 to node2
  2. Open a command prompt and change to the SSL Tool directory (for this example the files were extract to the C:\SSL-Tool folder. cd \SSL-Tool
  3. Launch the SSL Updater tool by running the following command: ssl-updater.bat You will be presented with the main menu. Press 3, and then Enter.
  4. You are now presented with the ‘Update the Single Sign-On SSL Certificates’ menu Press 1, and then Enter.
  5. You will now be presented with a series of questions; these are illustrated on the right. Responses are also captured and highlighted in red; these values should be altered for your environment if it differs. NOTE: Remember that this is not a primary node.
  6. When the process completes you will receive a status message as illustrated ‘Last operation update Single Sign-On SSL certificates completed successfully’ and will be returned to the ‘Update the Single Sign-On SSL Certificates’ menu. Press 3, and then Enter to return to the main menu.
  7. At the main menu, press 9, and then Enter to exit the SSL Update tool.
  8. Verify that the certificate have been updated OK and that the Single Sign-On services are still running by running the following command: ssolscli listServices https://node2.domain.com:7444/lookupservice/sdk NOTE: The services listed should at this point all reference the url of the first node in the HA configuration.
Personal tools