Re-use of vCenter SSO certificate
I was banging my head against the deployment of the single sign-on with my installation of vCenter 5.1 certificates.
I think I finally have a handle on how to do it using the SSL automation tool.
So what I wanted to do was blow up all my servers and reinstall all. I wanted to reuse the certificates that I have already created.
I think that if I use the same IP address and host name I should be fine. I'm going basic here?
There will be no problem as long as CN has the FQDN of the server and the domain OR something that is unique for the SSO service. Just install the servers and redeploy certificates that you are used to.
Tags: VMware
Similar Questions
-
Hello
Anyone using the SSO in HA vCenter?, I followed the guide of deployment of SSO to vRA but automatic failover does not work, if I stop on the nodes that we start to get error exception creating tenants, adding bussiness,... with both nodes group works very well (balancer load seems ok)
Any experience with vCenter SSO 5.5up2 HA and vRA 6.2.2? is there something missing from the guide or any additional parameter to configure?
Thank you.
The only recommendation I can do, and I'm under NDA, so I can't expand on why I say this, but... I would not invest any time to get this to work and use of identity. Wish I could provide more details than that.
Personally, I have nothing but pain and grief, trying to integrate the two and whenever an update comes out for one or the other, she leads to irritation and gnashing of teeth, trying to figure out what has not been properly tested / validated between the two products, and it leads to all kinds of other problems. I saw too much, lack of a better word, strangeness, trying to get SSO working in a highly available like this configuration... It's weird.
Just my $0.02.
-
I can not re register vCenter SSO
I have a strange in vCSA (U2d) problem, after restarting the device, the Web Client shows "Empty inventory". When I look more deeply, command:
/ usr/lib/VMware-SSO/bin/vi_regtool listServices https://PVC1.piszki.Lab:7444/lookupservice/sdk
No show recorded vCenter service! And I can't cancel recording vCenter:
PVC1:/etc/VMware-SSO/Register-hooks.d # / usr/lib/vmware-sso/bin/vi_regtool unregisterService d https://PVC1.piszki.Lab:7444/lookupservice/sdk u Pei xxxx-TR id.vc [email protected]
Initialization of provider of record...
SSL certificates for https://PVC1.piszki.Lab:7444/lookupservice/sdk
null
com.vmware.vim.binding.lookup.fault.ServiceFault:
errorMessage = no object
inherited from com.vmware.vim.binding.lookup.fault.ServiceFault
pvc1:/etc/vmware-sso/register-hooks.d #. / 01-vcenter - mode uninstall - ls-Server https://PVC1.piszki.Lab:7444/lookupservice/sdk [email protected] user - password xxx
Initialization of provider of record...
SSL certificates for https://PVC1.piszki.Lab:7444/lookupservice/sdk
null
com.vmware.vim.binding.lookup.fault.ServiceFault:
errorMessage = no object
inherited from com.vmware.vim.binding.lookup.fault.ServiceFault
But if I try to save the vCenter SSO:
pvc1:/etc/vmware-sso/register-hooks.d #. / 01-vcenter - installation - ls-Server mode https://PVC1.piszki.Lab:7444/lookupservice/sdk [email protected] user - password xxx - vc-admin-master option = root - sso-deployment-type option = Embedded
Initialization of provider of record...
SSL certificates for https://PVC1.piszki.Lab:7444/lookupservice/sdk
Execution of anonymous
Successfully registered locations SSO and certificates
The code is back: success
Creation of main SSO for vCenter Server
Initialization of provider of record...
SSL certificates for https://PVC1.piszki.Lab:7444/lookupservice/sdk
vpxd-PVC1.piszki.Lab-792e065c-d461-4BEB-8a9d-0b5696c4722f
com.vmware.vim.sso.admin.exception.DuplicateSolutionCertificateException: vpxd-pvc1.piszki.lab-792e065c-d461-4beb-8a9d-0b5696c4722f
at com.vmware.vim.sso.admin.client.vmomi.impl.VmomiClientCommand.execute(VmomiClientCommand.java:121)
at com.vmware.vim.sso.admin.client.vmomi.impl.VmomiClientCommand.executeEnsuringDomainErrorIs(VmomiClientCommand.java:220)
at com.vmware.vim.sso.admin.client.vmomi.impl.VmomiClientCommand.executeEnsuringDomainErrorIs(VmomiClientCommand.java:207)
at com.vmware.vim.sso.admin.client.vmomi.impl.PrincipalManagementImpl.createLocalSolutionUser(PrincipalManagementImpl.java:197)
at com.vmware.vim.sso.admin.client.vmomi.impl.PrincipalManagementImpl.createLocalSolutionUser(PrincipalManagementImpl.java:185)
at com.vmware.vim.install.cli.commands.RegisterSolutionCommand.execute(RegisterSolutionCommand.java:48)
at com.vmware.vim.install.cli.commands.CompositeCommand.execute(CompositeCommand.java:38)
at com.vmware.vim.install.cli.RegTool.execute(RegTool.java:190)
at com.vmware.vim.install.cli.RegTool.process(RegTool.java:107)
at com.vmware.vim.install.cli.RegTool.main(RegTool.java:38)
Return code is: AlreadyRegistered
C# Client work with no problems. I am stuck, can anyone help?
Kind regards
Piotr
And there is a solution: snapshot + re-run vCSA installation wizard. Only loss, storage tags disappeared and profiles.
-
VCenter Orchestrator certificates
If I import a certificate from a vCenter Orchestrator, and then afterwards I implement PKI to give my vCenter a certificate approved, will be my workflow who fail vCenter until I have import the new certificate?
Thank you!
Hello
I think it will be. If you plan to change the cert of the vRO also I think that the order should be:
-Change the certificate of the vRO. If you are using a public CA certificate that all the imported certificates will be deleted form the keystore that we create new keystore in the present case.
-Change the certificate of vCenter.
-Import the certificate vCenter vCO.
You might find this interesting:
How to change the SSL to a vCO device certificate
How to change the SSL to a vCO device certificate | Kaloferov spas & #039; s Blog
How to change the certificate SSL of WIndows installed vCO
How to change the certificate installed WIndows SSL vCO | Kaloferov spas & #039; s Blog
vCO Workflow to automate certificate generation process
vCO Workflow to automate certificate generation process. Kaloferov spas & #039; s Blog
-
Error update vcenter SSL certificate?
Hello people,
I've recently upgraded to vcenter 5.1 U1a successfully.
I'm following VMware articles and a popular blog to prepare and run the certificate VMware 1.0 automation tool.
http://www.derekseaman.com/2012/09/VMware-vCenter-51-installation-part-2.html
http://www.derekseaman.com/2013/04/using-VMware-vCenter-certificate.html
Everything was pretty smooth up until I have to replace the the vcenter Server SSL certificate. Option 2 vcenter update ssl. See the attached photo.
After the error, my vcenter service will not start.
I tried to reset the password of database using vpxd.exe - p, but vcenter still does not start.
I also checked that the correct service ID is matched between vpxd.cfg and LS_ServiceID.prop.
Stuck at this point. I have since went instant return, but try to see if anyone has any suggestions?
Could this be type a bad password?
Thank you!
You mentioned the KB as well?
Concerning
Girish
-
I have Firefox installed 37.0.1 on OpenSuse 13.2. I have a proxy server that uses a self-signed certificate, and I tried to add my certificate to the list of authorities and to check all the option displayed to be wz trust no chance.
I tried to restart firefox, but it did not help.
I did the same steps in chrome and it works fine.
appreciate any help.
After removing my .mozilla in my home directory. Add the certificate to the list of authorities in fact work.
-
I can't connect to my server SMTP with TLS on port (send 465 or 587 / 995 receive) using Thunderbird 31.3 or my OS X 10.10.1 24.6 (Didier) MacBook Pro.
However, I am able to send and receive mail from the same account on my Windows 7 machine using Outlook 2007, using the same settings I configured in Thunderbird. I added the certificate etc.
http://img.Photobucket.com/albums/v631/Napoleon_BlownApart/ScreenShot2014-12-16at121323pm.PNG (Taken when using 24.6)
I am the admin of the server and the password and other settings on the side Server are correct! (I'll take a look at the evolution at the same time. I am already back to an earlier version of Firefox because of sloppy coding and broken features).
Any ideas?
If the server name is a secret, how you expect to receive mail. Please, we have pretty bad without guessing. Seriously what you are done using a self signed certificate, they are free by https://www.startssl.com/
My guess is it of OSX who dislikes the self-signed certificate, how Thunderbird to deal with Windows. As you have a copy install Thunderbird and see if it is a question of OSX.
-
I recently installed a security certificate on my site.
I tried different controllers of ssl and certificate seems fine.
Firefox, however, don't like him and displays a warning page that says:www.Academi.pl uses an invalid security certificate.
The certificate is not trusted because the issuer certificate is not approved.
(Error code: sec_error_untrusted_issuer)
This happens on Windows, Mac and Linux computers in my office.
I also received a number of reports from users of the site who are experiencing the same problem.
It seems that the problem does not occur in firefox 7.x, but I have to check properly.Anyone know a solution to this? I tried to remove the certificates manually in preferences, but it did not help.
It worked for me! I had given up everything, but when I received this reply in my inbox this morning. I was skeptical at all first, think something so simple could not possibly solve all my problems... He did! Sometimes simple is best. Thank you all for the answers and help for this problem!
-
Undocumented VCenter, SSO Master Password unknown
Hi all
Been trawl by lu much community to get a handle on this so I thought I would ask this question to get a concise answer.
I wonder to upgrade a VCenter 5.1 U2 to V6. There is no documentation of the VCenter pre-installed and there is no trace of the master password from SSO. I have reset the password of admin@system-domain so I am able to get into the web console. As mentioned in other posts, this password is completely separate from the master password which cannot be changed without knowing what the master password is currently.
What I read the easiest method for me to upgrade seems to be to delete and reinstall SSO then reconnect VCenter for her.
Apparently most difficult method is to build a new VCenter, create local switches, as we use vDS, migrate guests for switches the on the current vcenter, migrate to the VirtualCenter new hosts and then re-create the VDS.
I watched the flings on the labs.vmware.com site and it is one that might help, but it does not work for v5.1 to 6 and the sounds that he has problems with vDS.
An option I have thought and would like to validate is the following: if I build a new with a new SSO installation VCenter which is actually documented, can I join a VCenter V5.1 for installation of SSO V6? If I could spend the vcenter 5.1 to 6, while the old and the new are part of the same domain for authentication, I could Vmotion between VCenters so so technically. Is this a valid option, or I expect the product more than what she can really do? I'm looking for the least disruptive method to get up to date
Thank you
Hayden
Thought that I respond to this and that everyone knows how we have progressed.
After a lot of searching on Google and trial and error, I found a blog by V E XPERTISE written by Fabian Lenz, who helped me to get this working properly. Now I can migrate my systems intact vDS to a new installation of VSphere VCenter 6 the link to the article is http://www.vxpertise.net/2013/06/migration-of-a-distributed-switch-to-a-new-vcenter-important-things-to-know/
Essentially the issue I had was that I was using the logical order of import of the SVD and not in the right order. It is a big help because he'll lead us around the issue of 'master' password SSO all forgotten and allows us to upgrade to a new installation of VCenter essentially because we were eager to make.
I hope this helps someone else out there
-
vCenter SSO 5.5u2b HA for vCAC re - install service STS unrecognized option:-install
Im trying to configure the SSO 5.5u2b vCenter in a HA configuration for use with 6.1 vCAC. IM following the guide:
and arrived at the end of the paper where I am re - install the STS. When I try to run the command:
"c:\Program Files VMware vCenter Server - Java
"C:\Program Components\bin\java.exe" - cp
Files\VMware\Infrastructure\VMware\CIS\vmware-sso\ *; c:\Program
Files\VMware\Infrastructure\VMware\CIS\vmware-sso\lib\ *; ; *”
com.vmware.identity.installer.STSInstaller - install - root-cert-path
ssoserverRoot.crt - cert-path-private-key ssoserverSign.crt
ssoserverSign.key - the number of attempts-2-30-retry interval
(put in one line and correcting the parentheses) I get errors:
Unrecognized option:-install
Error: Could not create the Virtual Machine Java.
Error: A fatal error has occurred. Program ends.
I installed the SSO application on the E: drive, so I've updated the script to account for 'e' as follows:
""c:\Program Files VMware vCenter Server - Java Components\bin\java.exe"- cp" e:\Program Files\VMware\Infrastructure\VMware\CIS\vmware-sso\ *; e:\Program Files\VMware\Infrastructure\VMware\CIS\vmware-sso\lib\ *; ; * "com VMware.Identity.installer.STSInstaller - install - path root-cert ssoserverRoot.crt - cert-path ssoserverSign.crt - private-key-path ssoserverSign.key - number of attempts-2-30-retry interval
any suggestions?
I found the issue... There must be a space between...; ; * and. com.vmware... The command of the document is missing in this space. After running the command:
""c:\Program Files VMware vCenter Server - Java Components\bin\java.exe"- cp" e:\Program Files\VMware\Infrastructure\VMware\CIS\vmware-sso\ *; e:\Program Files\VMware\Infrastructure\VMware\CIS\vmware-sso\lib\ *; ; ' ' * com.vmware.identity.installer.STSInstaller - install - path root-cert ssoserverRoot.crt - cert-path ssoserverSign.crt - private-key-path ssoserverSign.key - number of attempts-2 - interval before new attempt-30
the STS re-installed correctly.
-
I have a vCenter 5.5 system up and working well.
I tried to install a second SSO server to vCenter as an additional server to a new site. But the installer I kept to give the mythical 1603 error message. If I have installed SSO as a first server vCenter, it installed fine. I tried the file navigation Setup log, but nothing has jumped out to me.
Any suggestions on how to solve this?
GTG
I logged a call with VMWare on it. Quickly, they diagnosed the problem was with SSL certificates.
However, a quick resolution was not forthcoming. So after nearly a week, I abandoned and destroyed the installation whole vCentre and rebuilt from scratch. Only after having done that, it was all working.
GTG
-
vCenter SSO 5.5 - users are not editable when upgrading from a 5.1.
I did some tests with vCenter 5.5 on Win2008 R2 (unproductive) installation.
After the upgrade of SSO, I noticed a problem with the internal users of SSO.-I can't change user properties.
Everything is grey. No change of password, without unlocking. etc. (using [email protected] or another administrator)
Surprisingly, I can create a new user and change everything I need. But all the old user accounts whose [email protected] are not editable.I did two SSO upgrade configurations instances. Both have the same problem. It does not accur with a new facility.
All the world has noticed the same problem?How can I solve this problem?
With vCenter 5.5.0a this problem has been resolved.
All users are now editable.
-
VCenter SSO 5.5 upgrade problems - cannot start SERVICE KDC VMWARE
Hi, I am trying to upgrade my current SSO that was installed about a month ago (a complete reinstallation of my quite vcenter environment.
At some point, the failed to install gives me this error message. "Service"VMware Kdc Service"(WMwareKdcService) failed to start. Check that you have sufficient privileges to start system services. »
I installed as the domain administrator, which obviously has rights of a local administrator on the Windows Server.
Any help or can someone point me to a log file, I can watch or something.
Thank you!
Michel
More tweaking... KDC service requires port 88 to begin.
Netstat - abn shows vpxd.exe uses port 88. When I installed vCenter, I had chosen port 88 as port 80 is already in use by IIS... I disabled now IIS and want to move back to port 80 vCenter.
Now, someone has an idea how I can change vCenter refer to port 80?
-
ThinPro 4.3 - Citrix Receiver 13 - use HPDM to install certificates?
Hello
I have an existing environment of about 1200 of the T610. and we are migrating to a new citrix farm. on customers now receiving light is 12. I'm moving to Citrix receiver 13 and install new certificates.
Is it possible to install certificates using HPDM? I tried options command line with "high-cert-mgr", but for some stupid reason, he began as a script of hpdm because he needs an x environment.
I tried to copy them down to the thin client, putting the new cert in the directory/usr/lib/ICAClient/keystore/cacerts and run c_rehash on the directory, but I always get the certificate error.
What I am doing wrong, everybody has it works?
Thank you in advance for your help!
Best regards, Fred
I thought about it.
Am I missing something basic? is there an easier way to do this?
You must copy the certificate to PEM format in 3 locations (with the extension .crt)
/ Writable/usr/lib/icaclient/keystore/cacerts / *. CRT
Writable/home/user/.freerdp/certs/*. CRT
/ Writable/usr/local/share/ca-certificates / *. CRT
Then, you create a link in/writable/etc/ssl/certs (with the .pem extension) of the cert file located in
/ Writable/usr/local/share/ca-certificates
Then, you need to run
/ writable/etc/ssl/certs c_rehash
in a work order.
complicated to say the least.
Am I missing something basic? is there an easier way to do this?
Thank you
-
What everyone uses for an SSL certificate on the wireless controller?
If I use the SSL certificate generated locally on my WLC Internet Explorer always shows the "untrusted cert alert" when users try to authenticate through the web interface. What can I do to fix this do I need to buy a cert? If so where is the best and the best place to do this? GoDaddy? Also, I bought one for my mail server and had set a domain during the process name. What should I use for my WLC? The URL during the authentication process web show https://1.1.1.1
RapidSSL is your best bet. It is less than $90 for 1 year with renewal and insurance. 5 years is like $ 380. GoDaddy will not work because they use chained certificates.
On the VIP, you enter the DNS domain name as what you used on the certificate CN when generating a csr. Of course, you have to solve the CN name to 1.1.1.1 or change the 1.1.1.1 to another ip address that is not on your network. Restart the wlc and your done.
Maybe you are looking for
-
End of 2015 iMac 27 inches 5K screen lights up when the "sleep mode"
When the iMac is in "standby", sometimes the display lights for a while and then turns back off the coast. Screen does not completely, simply turn the backlight (it's like when you see a black image with the high brightness level). I know the iMac tu
-
Cannot install Photosmart 5510 in Windows 8
Installation disc will not install in Windows 8 32-bit). MODs in the works for this problem?
-
Satellite A500 - Windows won't start, how to get back now?
Hello guys,. Recently, a week, I bought a new Satellite A500 - 1HK. I installed everything and after I installed Office 2007, after restarting my PC put on the Windows 7 Logo. PLS, please note that at this time one had a connected external HARD disk.
-
Equium A100 - 027 PSAAQ - having problems with WiFi Internet access
Just installed Windows XP Home edition on my Equium A100-027 (PSAAQ) Vista didn't like. Now I'm having problems with Internet access. Should what drivers I download and how to install? Thank you.
-
HOW TO TRANSFER PICTURES. PHOTOLIBRARY IN A FOLDER?
Hello. I would like to know how to convert my file Library.photolibrary photo to a normal folder. I would then transfer its content on an external hard drive. I'm not sure how to export, when I go to select export from the 'File' menu, the import/ex