VMware VCenter Server 5.5 LB SSO Technical Reference

VMware
vCenter Server
5.5
Deploying a Centralized
VMware vCenter

Single Sign-On
Server with a
Network Load Balancer
TechnicalReference
T E CH NI C AL MAR K E T I NG DOCU ME NTAT I ON
V 1 . 0/ F E B R UARY 2 01 4/J US T I N K I NG , MI K E B ROWN
VMware vCenter Server 5.5
Deploying a Centralized VMware vCenter
Single Sign-On Server with a Network Load Balancer
T E C H NI C AL WH I T E PAP E R / 2
Table of Contents
Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
When to Centralize vCenter Single Sign-On Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Centralized vCenter Single Sign-On Architecture. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Centralized Single Sign-On High-Availability Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
VMware vSphere Data Protection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
VMware vSphere High Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
VMware vCenter Server Heartbeat. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Network Load Balancer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Deploying vCenter Single Sign-On Server with a Network Load Balancer . . . . . . . . . . . 5
Preinstallation Checklist. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Deploying vCenter Single Sign-On Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
1. First vCenter Single Sign-On Installation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8
2. Additional vCenter Single Sign-On Installations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8
vCenter Single Sign-On Certicates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Optional: Creating the Microsoft Certicate Authority Template. . . . . . . . . . . . . . . . . . . 9
Generate the Certicate Request. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Conguring CA-Signed SSL Certicates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Conguring the Network Load Balancer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
VMware vCloud Networking and Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15
F5 BIG-IP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Citrix NetScaler. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Postdeployment of a Centralized vCenter Single Sign-On Environment. . . . . . . . . . . . 21
Installing vCenter Server Components. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21
Updating a Previously Installed vCenter Single Sign-On Conguration. . . . . . . . . . . .21
Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Overview
WiththereleaseofVMwarevSphere5.5andVMwarevCenterServer5.5,multiplecomponentsdeliverthe
vCenterServermanagementsolution.Onecomponent,VMwarevCenterSingleSign-Onserver,ofersan
optionaldeploymentcongurationthatenablesthecentralizationofvCenterSingleSign-Onservicesfor
multiplelocalsolutionssuchasvCenterServer.Ifnotarchitectedcorrectly,centralizationcanincreaserisk,so
useofvCenterSingleSign-Onserverishighlyrecommended.
Thispaperhighlightsthehigh-availabilityoptionsforacentralizedvCenterSingleSign-Onenvironmentand
providesareferenceguidefordeployingoneofthemorecommoncentralizedvCenterSingleSign-On
congurationswithanexternalnetworkloadbalancer(NLB).
When to Centralize
vCenter Single Sign-On Server
VMwarehighlyrecommendsdeployingallvCenterServercomponentsintoasinglevirtualmachineexcluding
thevCenterServerdatabase.However,largeenterprisecustomersrunningmanyvCenterServerinstances
withinasinglephysicallocationcansimplifyvCenterSingleSign-Onarchitectureandmanagementbyreducing
thefootprintandrequiredresourcesandspecifyingadedicatedvCenterSingleSign-Onenvironmentforall
resourcesineachphysicallocation.
ForvSphere5.5,asageneralguideline,VMwarerecommendscentralizationofvCenterSingleSign-Onserver
wheneightormorevCenterServerinstancesarepresentinagivenlocation.
Centralized vCenter Single Sign-On
Architecture
A data center with eight or more
instances of vCenter Server
Centralized vCenter Single Sign-On
authentication
Same physical location
Backward compatible to vCenter Server 5.1
for staging of upgrades
Centralized vCenter Single Sign-On Server 5.5
Inventory Svc
vSphere
Web Client
vCenter
Server 5.1
Database
Server
VCDB1, VCDB2, VCDB3
vCenter Server 1
vCenter
Server 5.5
vCenter Server 2
vCenter
Server 5.5
vCenter Server 3
vCenter
Single Sign-On
Server
Inventory Svc Inventory Svc
vSphere
Web Client
vSphere
Web Client
Figure 1.ACentralizedvCenterSingleSign-OnServerEnvironment
Centralized Single Sign-On
High-Availability Options
TheabsenceofvCenterSingleSign-Onservergreatlyimpactsthemanagement,accessibility,andoperations
withinavSphereenvironment.Thetypeofavailabilityrequiredisbasedontheusersrecoverytimeobjective
(RTO),andVMwaresolutionscanofervariouslevelsofprotection.
VMwarevSphereDataProtection
VMwarevSphereDataProtectionprovidesadisk-levelbackup-and-restorecapabilityutilizingstorage-based
snapshots.WiththereleaseofvSphereDataProtection5.5,VMwarenowprovidestheoptionofhost-level
restore.UserscanbackupvCenterSingleSign-OnservervirtualmachinesusingvSphereDataProtectionand
canrestorelaterasnecessarytoaspeciedvSpherehost.
VMwarevSphereHighAvailability
WhendeployingacentralizedvCenterSingleSign-OnservertoavSpherevirtualmachineenvironment,
userscanalsodeployVMwarevSphereHighAvailability(vSphereHA)toenablerecoveryofthe
vCenterSingleSign-Onservervirtualmachines.vSphereHAmonitorsvirtualmachinesviaheartbeatsfromthe
VMwareToolspackage,anditcaninitiatearebootofthevirtualmachinewhentheheartbeatnolongeris
beingreceivedorwhenthevSpherehosthasfailed.
VMwarevCenterServerHeartbeat
VMwarevCenterServerHeartbeatprovidesaricheravailabilitymodelforthemonitoringandredundancyof
vCenterServeranditscomponents.ItplacesacentralizedvCenterSingleSign-Onserverintoanactivepassive
architecture,monitorstheapplication,andprovidesanup-to-datepassivenodeforrecoveryduringavSphere
host,virtualmachine,orapplicationfailure.
NetworkLoadBalancer
AVMwareorthird-partyNLBcanbeconguredtoallowSSLpass-throughcommunicationstoanumberof
localvCenterSingleSign-OnserverinstancesandprovideadistributedandredundantvCenterSingleSign-On
solution.AlthoughVMwareprovidesNLBcapabilityinsomeofitsoptionalproducts,suchasVMwarevCloud
NetworkingandSecurity,therealsoarethird-partysolutionsavailableinthemarketplace.VMwaredoesnot
providesupportforthird-partyNLBsolutions.
Deploying vCenter Single Sign-On Server
with a Network Load Balancer
PreinstallationChecklist
Theguidanceprovidedwithinthisdocumentwillreferencethefollowingdetails:
HostName FQDN IPAddress
LoadBalancer SSO sso.vmware.local 192.168.110.40
SSOServer01 SSO1 sso1.vmware.local 192.168.110.41
SSOServer02 SSO2 sso2.vmware.local 192.168.110.42
Table 1.CentralizedvCenterSingleSign-OnRequirements
Example Architecture
Inventory Svc
vCenter
Server 5.1
Database
Server
VCDB1, VCDB2, VCDB3
vCenter Server 1
vCenter
Server 5.5
vCenter Server 2
vCenter
Server 5.5
vCenter Server 3
Inventory Svc Inventory Svc
SSO1
vmware.local
192.168.110.41
SSO2
vmware.local
192.168.110.42
vsphere.local
Network Load Balancer
SSO.vmware.local/192.168.110.40
vSphere
Web Client
vSphere
Web Client
vSphere
Web Client
Figure 2.ExampleofavCenterSingleSign-OnServerwithaNetworkLoadBalancer
ThefollowingstepsmustbecompletedbeforeinstallingthevCenterSingleSign-Onserverandconguringfor
usewithanNLB:
1. Download the vCenter Server distribution.
ThevCenterServerbinarieslocatedonthevCenterServerISOarerequiredtoinstall
vCenterSingleSign-Onserver.
NOTE: vCenter Server 5.5.0b Build 1476387 is the latest version available and is used throughout this document.
2. Deploy virtual machines.
WithacongurationsimilartothatinFigure2,deployatleasttwoappropriatelysizedvirtualmachines
runningMicrosoftWindows2008SP2orhigher.
Table 2.MinimumHardwareRequirementsforvCenterSingleSign-OnServer
NOTE: As of February 2014, Windows 2012 R2 is not a supported operating system (OS) for
vCenter Single Sign-On server.
3. Install the Microsoft Visual C++ 2008 Redistributable Package.
WewilluseOpenSSLtorequestthevCenterSingleSign-Oncerticates.TheOpenSSLtoolhasa
dependencyontheMicrosoftVisualC++2008RedistributablePackage(32-bit),whichcanbedownloaded
andinstalledfromthefollowing:http://www.microsoft.com/en-us/download/details.aspx?id=29
ThismustbeinstalledoneachdeployedvCenterSingleSign-Onserver.
NOTE: There are newer versions of this le that might already be installed and might cause errors with the
(step 4) download and install of WIN32 OpenSSL; the version provided is fully tested with WIN32 OpenSSL.
4. Download and install WIN32 OpenSSL.
ThespecicversionofOpenSSLthatshouldbeusedforvCenterSingleSign-Onservercerticates
(version0.9.8)canbedownloadedandinstalledfromthefollowing:
http://slproweb.com/products/Win32OpenSSL.html
NOTE: For the purposes of this document, WIN32OpenSSL-0_9_8y.exe is a specic requirement and not
necessarily the latest version available.
5. Create certicate folder structure.
OntherstvCenterSingleSign-Onservervirtualmachine,createthefollowingfolderstructure:c:\certs\sso
6. Create a vCenter Single Sign-On conguration le.
Createatextleandbuildthelebasedonthefollowingtemplate,savingtheletoc:\certs\sso\sso.cfg.
ThislewillprovideallhostnamesandFQDNsusedintheexamplecongurationaswellastheIPaddress
fortheNLB.
SeeVMwareKnowledgeBasearticle2061934Creating certicate requests and certicates for vCenter
Server 5.5 components.
Filename:c:\certs\sso\sso.cfg
[ req ]
default_bits = 2048
default_keyfle = rui.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = DNS:sso1, DNS:sso1.vmware.local, DNS:sso2, DNS:sso2.vmware.local,
DNS:sso.vmware.local, IP:192.168.110.40
[ req_distinguished_name ]
countryName = Country
stateOrProvinceName = State
localityName = City
0.organizationName = Company Name
organizationalUnitName = vCenterSSO
commonName = sso.vmware.local
NOTE: The bold entries are specic to the environment as discussed in the preinstallation checklist and should
be edited to reect the environment you are installing into.
Deploying vCenter Single Sign-On Server
Inthisexample,wewilldeployavCenterSingleSign-Onserverinstance,deployasecondvCenterSingle
Sign-Onserverinstance,andcongurealoadbalancertoprovideanactiveactiveentrypointforallvCenter
SingleSign-Onservicerequestsinasinglephysicallocation.
1.FirstvCenterSingleSign-OnInstallation
ThefollowingstepswilldeploytherstvCenterSingleSign-Onserver:
a. ConnectthevCenterServerISOimagetothesso1.vmware.localvirtualmachine.
b. Logintosso1.vmware.local.
c. OntheDVDmenu,choosethevCenterSingleSign-OnoptionlistedunderCustomInstall.
d. ClickInstall.
e. AftertheWelcometothevCenterSingleSign-OnSetupWizardscreenisshown,clickNext.
f. SelectIagreetothetermsintheLicenseAgreementandclickNext.
g. ReviewthevCenterSingleSign-OnPrerequisitesandclickNext.
h. OnthevCenterSingleSign-OnInformationscreen,selecttherstoption,vCenterSingleSign-On
foryourrstvCenterServer,becausethisistherstvCenterServertobedeployed.ClickNext.
i. ProvideandconrmaPasswordforthebuilt-inadministrator@vsphere.localaccount.ClickNext.
RefertoVMwareKnowledgeBasearticle2060746Installing vCenter Single Sign-On 5.5 fails if the
password for administrator@vsphere.local contains certain special character.
j. OnthevCenterSingleSign-OnCongureSitescreen,provideaSitename.Thiscanbebasedon
locationororganizationforexample,PaloAlto.ClickNext.
k. OnthevCenterSingleSign-OnPortSettingsscreen,clickNext.
l. OntheChangedestinationfolderscreen,clickNext.
m.ConrmthevCenterSingleSign-OnInformation/Reviewinstalloptionsscreen.ClickInstall.
n. OntheCompletedthevCenterSingleSign-OnSetupWizardscreen,clickFinish.
2.AdditionalvCenterSingleSign-OnInstallations
ThefollowingstepswilldeployadditionalvCenterSingleSign-Onserversandpartnerthemwiththerstserver,
deployedinstep1.
a) ConnectthevCenterServerISOimagetothesso2.vmware.localvirtualmachine.
b) Logintosso2.vmware.local.
c) OntheDVDmenu,choosethevCenterSingleSign-OnoptionlistedunderCustomInstall.
d) ClickInstall.
e) AftertheWelcometothevCenterSingleSign-OnSetupWizardscreenappears,clickNext.
f) SelectIagreetothetermsintheLicenseAgreementandclickNext.
g) ReviewthevCenterSingleSign-OnPrerequisitesandclickNext.
h) OnthevCenterSingleSign-OnInformationscreen,selectthesecondoption,vCenterSingleSign-On
foranadditionalvCenterServerinanexistingsite,topairwithanexistinglocalinstance.ClickNext.
i) ProvidethePartnerhostnameassso1.vmware.local,topairwiththepreviouslydeployed
vCenterServerSingleSign-Oninstancetoreplicatefrom.ProvidethePasswordforthebuilt-in
administrator@vsphere.localaccountusedwithsso1.vmware.local.ClickNext.
NOTE: All internal vCenter Single Sign-On communications will be direct and will not use the NLB.
j) Toacceptthehostcerticate,clickContinueonthePartnercerticatescreen.
k) OnthevCenterSingleSign-OnJoinSitescreen,choosetheSitenameusedwiththerst
vCenterSingleSign-Oninstanceforexample,PaloAlto.ClickNext.
l) OnthevCenterSingleSign-OnPortSettingsscreen,clickNext.
m) OntheChangedestinationfolderscreen,clickNext.
n) OnthevCenterSingleSign-OnInformation/Reviewinstalloptionsscreen,clickInstall.
o) OntheCompletedthevCenterSingleSign-OnSetupWizardscreen,clickFinish.
Repeatstep2foranyadditionalvCenterSingleSign-Onservers.
YounowshouldhavesuccessfullydeployedtwoormoreseparatevCenterSingleSign-Onserversthatarepart
ofthesamevsphere.localsecuritydomain.
vCenter Single Sign-On Certicates
WhenusinganNLB,secureSSLcommunicationwithvCenterSingleSign-Onserverrequiresanupdatetothe
certicatestoreecttheNLBentrypoint.AllvCenterSingleSign-Onserversthatparticipateintheload-
balancedcongurationrequirecerticateupdates.Inourexample,wewilluseaMicrosoftcerticateauthority
(CA)asourtrustedrootauthorityandwillgeneratecerticaterequestswithOpenSSL.Theprocessissimilar
forotherCAs.
Optional:CreatingtheMicrosoftCerticateAuthorityTemplate
TheMicrosoftCAtemplatethatwewillusetocreateupdatedsignedcerticatesmusthavedataencipherment
andclientauthenticationenabled.SeeVMwareKnowledgeBasearticle2062108Creating a Microsoft
Certicate Authority Template for SSL certicate creation in vSphere 5.x.
GeneratetheCerticateRequest
Youmustrunthefollowingcommandsfromacommandlinetoprepareandgeneratethecerticaterequest:
a) Openacommandpromptandtypethefollowing:
CD \OpenSSL\bin
b) Runthefollowingtocreateacerticaterequestandexporttheprivatekey:
openssl req -new -nodes -out c:\certs\sso\rui.csr keyout c:\certs\sso\rui-orig.key
-confg c:\certs\sso\sso.cfg
c) RunthefollowingtoconvertthekeyintotheproperRSAformat:
openssl rsa -in c:\certs\sso\rui-orig.key -out c:\certs\sso\rui.key
d) DownloadyourCAsrootcerticatewithBase64encoding.Inourexample,thelegeneratedisnamed
certnew.cerandissavedinC:\certsrenamedasfollows:Root64.cer
e) Withatexteditor,opentheprivatekeyC:\certs\sso\rui.csrandcopytheentirecontentsintotheCA
certicaterequesteld.Selectthetemplatewithdataenciphermentenabled(optionalsteppreviously
mentioned)anddownloadthecerticateasBase64encoded.Inourexample,thelegeneratedisnamed
certnew.cerandisrenamedasrui.crtandthenplacedintothefollowing:C:\certs\sso
T E C H NI C AL WH I T E PAP E R / 1 0
f) Runthefollowingtocreateanarchivele(ssoserver.p12)ofallcerticatesandkeys:
openssl pkcs12 export in c:\certs\sso\rui.crt inkey c:\certs\sso\rui.key
certfle c:\certs\Root64.cer name ssoserver passout pass:changeme out c:\certs\
sso\ssoserver.p12
g) ChangetotheVMwaredirectorybytypingthefollowing:
CD C:\Program Files\Common Files\VMware\VMware vCenter Server
Java Components\bin\
h) RunthefollowingtocreatetheJavaKeyStore:
keytool v importkeystore srckeystore C:\certs\sso\ssoserver.p12 srcstoretype
pkcs12 srcstorepass changeme srcalias ssoserver destkeystore C:\certs\sso\root-
trust.jks -deststoretype JKS deststorepass testpassword destkeypass testpassword
Ifaskedwhethertheexistingentryaliasssoserverexists,overwrite?Type:yes
i) RunthefollowingtoaddtherootcerticatetotheJavaKeyStore:
keytool v importcert keystore C:\certs\sso\root-trust.jks deststoretype JKS
storepass testpassword keypass testpassword fle C:\certs\Root64.cer alias
root-ca
Whenaskedwhethertotrustthiscerticate,type:yes
j) RunthefollowingtocopytheJavaKeyStoretotherequiredJavaKeyStorename:
Copy C:\certs\sso\root-trust.jks C:\certs\sso\server-identity.jks
Conguring CA-Signed SSL Certicates
Logintosso1.vmware.localandopenanelevatedcommandprompt.
a) Runthefollowingtosetthecorrectenvironmentvariables:
SET JAVA_HOME=C:\Program Files\Common Files\VMware\VMware vCenter Server
Java Components
SET PATH=%PATH%;C:\Program Files\VMware\Infrastructure\VMware\CIS\vmware-sso;%JAVA_
HOME%\bin
b) ChangetotheOpenSSLdirectory;typeandrunthefollowing:
CD \OpenSSL\bin
c) RegisterthenewrootcerticateintheVMwaretruststore;typeandrunthefollowing:
openssl x509 noout subject_hash in C:\certs\Root64.cer
Thiswillcreateaneight-digithexadecimalvaluethatwillbeusedinstepe).
d) RunthefollowingtocreateanSSLdirectory:
mkdir c:\ProgramData\VMware\SSL
e) RunthefollowingtocopytheRoot64.cercerticatetotheSSLfolder:
Copy C:\certs\Root64.cer C:\ProgramData\VMware\SSL\<eight digit hexadecimal
value>.0
Thisistheresultfromstepc).
f) RunthefollowingtocopytheRoot64.cerletotheSSLfolderandrenameittoca_certicates.crt:
more C:\certs\Root64.cer >> C:\ProgramData\VMware\SSL\ca_certifcates.crt
g) TochangethevCenterSingleSign-OnservercongurationtoreecttheNLB,withatexteditor,create
threetextleswithintheC:\certsdirectoryandnameasshown.Theselesareusedtoupdatethe
individualvCenterSingleSign-OnserviceswiththeNLBVIP.
Filename:C:\certs\admin.properties
[service]
friendlyName=The administrative interface of the SSO server
version=1.5
ownerId=
productId=product:sso
type=urn:sso:admin
description=The administrative interface of the SSO server
[endpoint0]
uri=https://sso.vmware.local:7444/sso-adminserver/sdk/vsphere.local
ssl=c:\certs\Root64.cer
protocol=vmomi
Filename:C:\certs\gc.properties
[service]
friendlyName=The group check interface of the SSO server
version=1.5
ownerId=
type=urn:sso:groupcheck
description=The group check interface of the SSO server
[endpoint0]
uri=https://sso.vmware.local:7444/sso-adminserver/sdk/vsphere.local
protocol=vmomi
Filename:C:\certs\sts.properties
[service]
friendlyName=STS for Single Sign On
version=1.5
ownerId=
type=urn:sso:sts
description=The Security Token Service of the Single Sign On server.
[endpoint0]
uri=https://sso.vmware.local:7444/ims/STSService/vsphere.local
protocol=wsTrust
h) RunthefollowingtolistthevCenterSingleSign-Onservices:
ssolscli listServices https://sso1.vmware.local:7444/lookupservice/sdk
Thereturnshouldbethreeservices:
Figure 3.ExampleofthevCenterSingleSign-OnServerCLIListServicesCommand
i) Foreachservicereturned,thersteldwilldisplayasthefollowing:
<serviceId=<SSOSiteName>:<thirty two digit hexadecimal value>
Eachservicesitenameand32-digithexadecimalvaluemustbesavedtoatextlebyusingtheservicetype
(line3)andthefollowingsyntaxforeachcorrespondingservicetype:
ECHO Palo Alto:<thirty two digit hexadecimal value> >> C:\certs\gc_id
ECHO Palo Alto:<thirty two digit hexadecimal value> >> C:\certs\sts_id
ECHO Palo Alto:<thirty two digit hexadecimal value> >> C:\certs\admin_id
Figure 4.ExampleofExportingServiceInformationtoaTextFile
j) OpenaWindowsExplorerwindowandnavigatetothefollowing:
C:\ProgramData\VMware\CIS\runtime\VMwareSTS\conf
k) Createabackupdirectoryandmakeabackupofthefollowinglesbycopyingthemintothe
backupfolder:
ssoserver.crt
ssoserver.key
ssoserver.p12
l) Inthecommandpromptwindows,copythethreecerticatelestothecorrectdestinationbytyping
thefollowing:
copy C:\certs\sso\ssoserver.p12 c:\ProgramData\VMware\CIS\runtime\VMwareSTS\conf\
ssoserver.p12
copy C:\certs\Root64.cer c:\ProgramData\VMware\CIS\runtime\VMwareSTS\conf\
ssoserver.crt
copy C:\certs\sso\rui.key c:\ProgramData\VMware\CIS\runtime\VMwareSTS\conf\
ssoserver.key
SelectYES tooverwritetheexistingle.
m) BeforewecanupdatethevCenterSingleSign-Onserviceinformation,wemustaddthe
sso.vmware.localintothelocalhostles,becausethisentrywillcreateanerrorpriortoconguration
oftheloadbalancer.Typethefollowing:
notepad C:\Windows\System32\Drivers\etc\hosts
Thenaddthefollowing:
192.168.110.41 sso.vmware.local
n) RunthefollowingtoupdatethethreevCenterSingleSign-Onserviceswiththeservicelescreatedwith
theNLBconguration.Typethefollowing:
ssolscli updateService -d https://sso1.vmware.local:7444/lookupservice/sdk -u
administrator@vsphere.local -p <password> -si C:\certs\gc_id ip C:\certs\
gc.properties
administrator@vsphere.local -p <password> -si C:\certs\admin_id ip C:\certs\admin.
properties
administrator@vsphere.local -p <password> -si C:\certs\sts_id ip C:\certs\sts.
properties
NOTE: If you receive a Server certicate assertion not veried and thumbprint not matched error, follow step
o) to restart the VMware Security Token Service and repeat the command.
o) YoumustrestarttheVMwareSecurityTokenServicefortheprevioussteptotakeefect.
Typethefollowing:
net stop VMwareSTS
net start VMwareSTS
p) ConrmthattheupdateshavebeenappliedbylistingthevCenterSingleSign-Onservices.
Typethefollowing:
Theendpointsentry(line4)shouldnowshowtheloadbalanceURLsso.vmware.localforeachservice.
q) Removethetemporaryhostentryappliedtothelocalhostslebydeletingthesso.vmware.local entry
addedinstepm).
Logintosso2.vmware.localandopenanelevatedcommandprompt.
a) OpenaWindowsExplorerwindow.Navigateto
\\sso1.vmware.local\c$andcopythecertsdirectorytoC:\ on sso2.vmware.local
\\sso1.vmware.local\c$\ProgramData\VMwareandcopytheSSLdirectorytoC:\ProgramData\VMware
on sso2.vmware.local
b) Runthefollowingtosetthecorrectenvironmentvariables:
SET JAVA_HOME=C:\Program Files\Common Files\VMware\VMware vCenter Server
Java Components
SET PATH=%PATH%;C:\Program Files\VMware\Infrastructure\VMware\CIS\vmware-sso;%JAVA_
HOME%\bin
c) BeforewecanupdatethevCenterSingleSign-Onserviceinformation,wemustaddthesso.vmware.
localintothelocalhostslesonsso2.vmware.localbecausethisentrywillcreateanerrorpriorto
congurationoftheloadbalancer.Type
notepad C:\Windows\System32\Drivers\etc\hosts
andadd
192.168.110.42 sso.vmware.local
d) Inthecommandpromptwindow,copythethreeupdatelestothecorrectdestination.
Typethefollowing:
copy C:\certs\sso\ssoserver.p12 c:\ProgramData\VMware\CIS\runtime\VMwareSTS\conf\
ssoserver.p12
copy C:\certs\Root64.cer c:\ProgramData\VMware\CIS\runtime\VMwareSTS\conf\
ssoserver.crt
copy C:\certs\sso\rui.key c:\ProgramData\VMware\CIS\runtime\VMwareSTS\conf\
ssoserver.key
SelectYEStooverwritetheexistingle.
e) RestarttheVMwareSecurityTokenServicetoaccepttheupdatedcerticateles.Typethefollowing:
net stop VMwareSTS
net start VMwareSTS
f) Updatethethreeserviceswiththecurrentinformation.Typethefollowing:
administrator@vsphere.local -p <password> -si C:\certs\gc_id ip C:\certs\
gc.properties
administrator@vsphere.local -p <password> -si C:\certs\admin_id ip C:\certs\admin.
properties
administrator@vsphere.local -p <password> -si C:\certs\sts_id ip C:\certs\sts.
properties
NOTE: If you receive a Server certicate assertion not veried and thumbprint not matched error, follow step
g) to restart the VMware Security Token Service and repeat the command.
g) YoumustrestarttheVMwareSecurityTokenServicetoefectthepreviousstep.Typethefollowing:
net stop VMwareSTS
net start VMwareSTS
h) Conrmbytypingthefollowingthattheupdateshavebeenapplied:
Theendpointsentry(line4)shouldnowshowtheloadbalanceURL
sso.vmware.localforeachservice.
i) Removethetemporaryhostentryappliedtothelocalhostslebydeletingthesso.vmware.localentry
addedinstepc).
Conguring the Network Load Balancer
ThefollowingareexamplesofNLBcongurationsthatcanbeusedforplacementwithcentralizedvCenter
SingleSign-Onserverstoprovideanactiveactivedistributionofloadaswellasredundancy.Thisistobeused
asaguideforconguringsuchNLBs,becauseVMwaredoesnotprovidesupportforthecongurationof
third-partyproducts.
ItisimportanttohaveasolidunderstandingofthesetupandadministrationoftheintendedNLBprior
toproceeding.ThefollowingproceduresprovideguidanceonconguringtheNLBforusewith
vCenterSingleSign-Onserveronlyandarenotintendedtoprovidegeneralguidanceonsetupand
administrationofaloadbalancer.
NOTE: The following NLB congurations will not work with the VMware vCloud Automation Center, due to
its having diferent vCenter Single Sign-On server communication requirements from those of vCenter Server.
A revision is planned for enactment as soon as testing has been completed.
VMwarevCloudNetworkingandSecurity
UsingasupportedWebbrowser,opentheVMwarevShieldManagerinterface.
1. In the left-hand menu, expand Datacenters and choose the data center your vCenter Single Sign-On
environment resides in.
2. Congure the virtual IP address (VIP):
a. Click the Network Virtualization tab.
b. Select your Edge gateway device.
c. Click Actions.
d. Choose Manage.
e. Click Congure.
f. Select the vNIC that will house the VIP IP address.
g. Select Edit.
h. Click the Green plus icon.
i. Enter the IP Address of the load balancer: 192.168.110.40.
j. Click Add.
3. Create the virtual server pool:
a. Click the Load Balancer tab on the edge1 screen.
b. Click the green plus icon to add a pool.
c. Provide a name: enter SSO-POOL.
d. Click Next.
e. Under Services:
i. Select TCP.
ii. Choose LEAST_CONN as Balancing Method.
iii. Enter 7444 as Port.
f. Click Next.
g. ChangetheTCPMonitorPortto7444.
h. ClickNext.
i. UnderMembers:
i. Clickthegreenplusicon.
ii. EnteranIPaddress:192.168.110.41.
iii. ClickAdd.
iv. Clickthegreenplusiconagain.
v. EnteranIPaddress:192.168.110.42.
vi. ClickAdd.
vii.ClickNext.
viii.ClickFinish.
j. ClickEnable.
k. PublishChangestoupdateconguration.
4. Createavirtualserver:
a. ClickVirtualServersunderthecongurationtabs.
b. Clickthegreenplusicon.
c. Enteraname:SSO-VIP.
d. EnteranIPaddress:192.168.110.40.
e. UnderServices:
i. SelectTCP.
ii. ChangetheTCPPortto7444.
iii. ClickAdd.
f. ClickPublishChangestoupdateconguration.
5. (Optional)CongurerewallifthedefaultruleissettoDeny.
a. ClicktheFirewalltab.
b. Clickthegreenplusicon.
c. Inthenewentry:
i. Enterarulename:SSO.
ii. Provideadestination:selectAddIPAddresses.
iii.Enteraname:SSO-VIP.
iv.EnteranIPaddress:192.168.110.40.
d. ClickOK.
e. ClickPublish.
F5BIG-IP
1. Before you start, make a copy of the C:\certs\sso directory and Root64.cer from one of the installed
vCenter Single Sign-On servers.
UsingasupportedWebbrowser,opentheF5BIG-IPmanagementinterface.
2. Provide SSO certicates to F5 BIG-IP:
a. ChooseSystem.
b. ChooseFileManagement.
c. ChooseSSLCerticateList.
d. OntheSSLCerticateListscreen,clickImport.
e. UnderImportType,selectCerticate.
f. ForCerticateName,selectCreateNewandenterssoCert.
g. ForCerticateSource,selectUploadFileandbrowsetotherui.crtlefromthecopyofthe
SSOdirectoryinstep1.
h. ClickImport.
i. OntheSSLCerticateListscreen,clickImport.
j. UnderImportType,selectKey.
k. ForKeyName,selectCreateNewandenterssoKey.
l. ForKeySource,selectUploadFileandbrowsetotherui.keylefromthecopyoftheSSOdirectory
instep1.
m.ClickImport.
n. OntheSSLCerticateListscreen,clickImport.
o. ForImportType,selectCerticate.
p. ForCerticateName,selectCreateNewandenterVMwareLocalRoot.
q. ForCerticateSource,selectUploadFileandbrowsetotheRoot64.cerlefromthecopyinstep1.
r. ClickImport.
s. ConrmthatthessoCertentryshowssso.vmware.localunderCommonName.
3. Create the load balancer pool:
a. ChooseLocalTrafcfromtheleft-handmenu.
b. ChoosePools.
c. ChoosePoolList.
d. OnthePoolListscreen,clickCreate.
e. ProvideaName:enterSSO.
f. ForHealthMonitors,selectandaddtcptoactivecolumn.
g. ForNewMembers:
i. EnteraNodeName:sso1.
ii. EnteranAddress:192.168.110.41.
iii. Enteraserviceport:7444.
iv. ClickAdd.
v. EnteraNodeNameofsso2.
vi. EnteranAddress:192.168.110.42.
vii.EnteraServicePort:7444.
viii.ClickAdd.
ix. ClickFinished.
4. Create SSL client:
a. ChooseLocalTrafcfromleft-handmenu.
b. ChooseProles.
c. ChooseSSL.
d. ChooseClient.
e. OntheClientscreen,clickCreate.
f. EnteraName:SSO-Client.
g. SelectCustom.
h. UnderConguration:
i. ForCerticate,choosessoCert.
ii. ForKey,choosessoKey.
iii. ClickFinished.
5. Create SSL server:
b. ChooseProles.
c. ChooseSSL.
d. ChooseServer.
e. OntheServerscreen,clickCreate.
f. EnteraName:SSO-Server.
g. SelectCustom.
h. UnderConguration:
i. ForCerticate,choosessoCert.
ii. ForKey,choosessoKey.
iii. ClickFinished.
6. Create virtual server:
b. ChooseVirtualServers.
c. ChooseVirtualServerList.
d. OntheServerscreen,clickCreate.
e. EnteraName:SSO-VIP.
f. ProvideaDestination:
i. ForType,selectHost.
ii. EnteranAddress:192.168.110.43.
iii. EnteraServicePort:7444.
g. UnderConguration:
i. ForHTTPProle,choosehttp.
ii. ForSSLProle(Client):chooseSSO-Client.
iii. ForSSLProle(Server):chooseSSO-Server.
h. UnderResources:
i. ForDefaultPool:chooseSSO.
i. ClickFinished.
7. Create SNAT:
b. ChooseAddressTranslation.
c. ChooseSNATList.
d. OntheSNATListscreen,clickCreate.
e. EnteraName:SNAT-SSO-NGC.
f. UnderConguration:
i. ForTranslationIPaddress:choose192.168.110.40.
g. ClickFinished.
CitrixNetScaler
UsingasupportedWebbrowser,opentheCitrixNetScalermanagementinterface.
1. Create a virtual server:
a. ChooseTrafcManagement.
b. ChooseLoadBalancing.
c. ChooseVirtualServers.
d. ClickAdd.
e. EnteraName:SSO.
f. ChangetheprotocolfromthedefaultHTTPtoTCP.
g. EnteranIPaddress:192.168.110.40.
h. EnteraPort:7444.
2. Create the services for the virtual server:
a. SelectAddundertheServicestab.
b. EnteraServiceName:entersso1.
c. ChangetheprotocolfromdefaultHTTPtoTCP.
d. SelectServerandenter192.168.110.41.
e. SelectPortandenter7444.
f. UnderavailableMonitors,selectTCPandclickAdd.
g. ClickCreate.
h. ClickAddagainundertheServicestab.
i. EnteraServiceName:sso2.
j. ChangetheprotocolfromdefaultHTTPtoTCP.
k. SelectServerandenter192.168.110.42.
l. SelectPortandenter7444.
m.UnderavailableMonitors,selectTCPandclickAdd.
n. ClickCreate.
3. Under available monitors, select TCP and click Add.
a. ClickCreate.
4. On the Create Virtual Server screen:
a. ClickCreate.
b. ClicktheMethodandPersistencetab.
c. ConrmthatLBMethodissetforLeastConnection.
d. ClickClose.
5. Refresh the conguration.
YounowhaveanNLBthatisconguredtoreceivevCenterSingleSign-Onrequestsandtopassthroughtoa
memberserverrunningvCenterSingleSign-Onserver.
Postdeployment of a Centralized
vCenter Single Sign-On Environment
HavingcompletedthepreviousstepsofinstallingacentralizedvCenterSingleSign-Onsolution,youcan
completethedeploymentofallvCenterSingleSign-Onenabledsolutions.InstallationofadditionalVMware
solutionsisnotrecommendedonthevirtualmachineshostingthevCenterSingleSign-Onenvironment.
InstallingvCenterServerComponents
AlmostallvCenterServercomponentsutilizeavCenterSingleSign-Onsolution.Theycanbedeployedinthe
followingorder:
1. VMware vSphere Web Client Specify sso.vmware.local for the vCenter Single Sign-On server.
2. vCenter Inventory Service Specify sso.vmware.local for the vCenter Single Sign-On server.
3. vCenter Server Specify sso.vmware.local for the vCenter Single Sign-On server.
AnyotherVMwarecomponentthatrequiresvCenterSingleSign-Onregistrationshouldalsospecify
sso.vmware.localwhenaskedforthevCenterSingleSign-Onserver.
UpdatingaPreviouslyInstalledvCenterSingleSign-OnConguration
IfyouhavedeployedadiferentvCenterSingleSign-Onarchitectureorareupgradingandplantomovetoa
centralizedvCenterSingleSign-Onenvironment,thefollowingisanoverviewoftheprocessinvolved.
1. If upgrading, you must do so from the existing vCenter Single Sign-On server to the latest release; that is,
vCenter Server 5.5.0b Build 1476387.
2. Deploy a new vCenter Single Sign-On server, as discussed, for an additional vCenter Single Sign-On server,
using the existing vCenter Single Sign-On server as the partner host name. This will enable replication of
vCenter Single Sign-On conguration, including users and groups, to the newly deployed
vCenter Single Sign-On server. This server will become the rst vCenter Single Sign-On server in a
centralized environment, for placement behind an NLB.
3. Deploy a new vCenter Single Sign-On server, as discussed, for an additional vCenter Single Sign-On server,
using the vCenter Single Sign-On server deployed in the previous step as the partner host name. This
server will be the second vCenter Single Sign-On server in a centralized environment, for placement behind
an NLB.
4. Proceed with the preceding instructions, starting from the vCenter Single Sign-On certicates.
Conclusion
WiththereleaseofVMwarevCenterServer5.5andanimprovedVMwarevCenterSingleSign-Onserver,
theuseofnetworkloadbalancerswithacentralizedvCenterSingleSign-Onenvironmentcanproviderobust
loaddistributionandredundancywithoutthelimitationsfoundinpreviousversions.Forcustomerswith
multiplevCenterSingleSign-Onenabledsolutions,thecentralizedmodeleasestheduplicationof
vCenterSingleSign-Onadministration.Thisdocumentprovidesthenecessarystepsfordeployingand
conguringacentralizedvCenterSingleSign-Onenvironmentwiththebenetsofutilizinganetwork
loadbalancer.
VMware, Inc.3401HillviewAvenuePaloAltoCA94304USATel877-486-9273Fax650-427-5001www.vmware.com
Copyright2014VMware,Inc.Allrightsreserved.ThisproductisprotectedbyU.S.andinternationalcopyrightandintellectualpropertylaws.VMwareproductsarecoveredbyoneormorepatentslisted
athttp://www.vmware.com/go/patents.VMwareisaregisteredtrademarkortrademarkofVMware,Inc.intheUnitedStatesand/orotherjurisdictions.Allothermarksandnamesmentionedhereinmaybe
trademarksoftheirrespectivecompanies.ItemNo:TBD Docsource:OIC-13VM004.09

VMware VCenter Server 5.5 LB SSO Technical Reference

Încărcat de

Informații document

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

VMware VCenter Server 5.5 LB SSO Technical Reference

Încărcat de

Drepturi de autor:

Formate disponibile

VMware

S-ar putea să vă placă și