VMware Cloud Community
SHBECKER
Contributor
Contributor

Re-Pointing vCenter to different SSO Instance

Hello!

I'm working for a customer in a arge project upgrading from vsphere 5.1 to vsphere 5.5.

We want to setup a new SSO Instance and reconfigure the components to use the new one. To re-register the vCenter to the different SSO Instance, I tried to run the repoint.cmd (KB 2033620). Unfortunately I got an error regarding the path of the openssl executable. I copied the openssl files to the Java JRE folder (C:\Program Files\VMware\Infrastructure\jre) and afterwards it worked. Now I'm getting another error message saying

2015-01-27T11:54:26.932+0100 [c.v.s.c.c.WinSystemTrustStoreManager] INFO  Saving CA certificate for C=US,CN=CA\, CN\=MYHOSTNAME\, dc\=vsphere\,dc\=local to C:\ProgramData\VMware\SSL\C=US,CN=CA\, CN\=MYHOSTNAME\, dc\=vsphere\,dc\=local

2015-01-27T11:54:26.946+0100 [c.v.s.cfg.ServiceCfgMain] ERROR Abnormal command failure: exception `C:\ProgramData\VMware\SSL\C=US,CN=CA\, CN\=MYHOSTNAME\, dc\=vsphere\,dc\=local (The system cannot find the path specified)' of type class java.io.FileNotFoundException

java.io.FileNotFoundException: C:\ProgramData\VMware\SSL\C=US,CN=CA\, CN\=MYHOSTNAME\, dc\=vsphere\,dc\=local (The system cannot find the path specified)

The Script ends with:

2015-01-27T11:54:26.979+0100 [c.v.s.cfg.ServiceCfgMain] INFO  Return code is: InternalError / 254

2015-01-27T11:54:26.980+0100 [c.v.s.cfg.ServiceCfgMain] INFO  END EXECUTION

It seems like there is something wrong with the path variables in the java script or they didn't get an value.

Could you please help me?

Thanks and regards,

Simon

Reply
0 Kudos
10 Replies
MauroBonder
VMware Employee
VMware Employee

Hi,

Did you fix your problem ?

Thanks

*Please, don't forget the awarding points for "helpful" and/or "correct" answers. *Por favor, não esqueça de atribuir os pontos se a resposta foi útil ou resolveu o problema.* Thank you/Obrigado
Reply
0 Kudos
CoolRam
Expert
Expert

Did you setup the java home variable as well as path variable correctly. This looks like java error or machine authentication issue.

If you find any answer useful. please mark the answer as correct or helpful.
Reply
0 Kudos
mattdon
Contributor
Contributor

There's java exceptions in the message so java is working.

I hit this one today trying to repoint my vCenter to a freshly installed 5.5 SSO with a certificate automatically generated by the installer.  The installation media I used (which is admittedly old but matches our production) is vCenter Server 5.5 Update 1a from VMware-VIMSetup-all-5.5.0-1750795-20140201-update01.iso

The repoint command downloads the CA certificate and saves it to C:\ProgramData\VMware\SSL\ and uses the information from the 'Subject' of the certificate for the filename.

The certificate information can be viewed by going to the lookup service with a web browser and looking at the certificate properties. eg: https://ssoserver:7444/lookupservice/sdk

A normal subject might be "CA" or "hostname.fqdn" or 'RSA Identity and Access Toolkit Root CA", these are ones I see in my production system from a 5.5 SSO that was upgraded 5.1 and from a fresh install of the SSO in vSphere 6 PSC.

However the certificate the 5.5U1a installer generated for the SSO CA had a subject with a country field "C= US" and a common name of "CA, CN=hostname, dc=vsphere,dc=local" so it looks like when java goes to write this filename it escapes the comma ',' character with a backslash '\' so, trying to write a file called "C=US,CN=CA\, CN\=hostname\, dc\=vsphere\,dc\=local" and windows won't allow a file with reserved characters such as the backslash and fails generating the exception.

So the fix? either generate new CA certificates for the SSO server, which is a huge pain, or install a new SSO which generates a certificate with a proper subject CN and repoint your vCenter at that which is what I did.  I used a new vSphere PSC standalone on the VCSA.

I assume you've fixed or worked around this, so I'm leaving this detail here for others who might hit this problem.

Reply
0 Kudos
Chewie71
Contributor
Contributor

mattdon,

So you Installed a new standalone vSphere 6 PSC, and then pointed your existing vSphere 5.5 Inventory and vCenters at it using the command line tools listed in the KB?

I tried a new standalone 5.5 SSO and I still get the stupid "Saving certificate..." error.

I need to split my SSO out from the "Simple" vCenter install to be able to continue to use linked mode between my sites so that's why I'm attempting this.

Thanks,

Matt

Reply
0 Kudos
mattdon
Contributor
Contributor

Sounds like you're in a similar situation, and yes, and at the time of my post I thought that it had worked.. but it didn't, I wasn't able to login to anything after all the services restarted.  I've come to the conclusion that the repointing command Just Don't Work.

The only reliable way I could repoint vSphere 5.5 components to a new SSO was by uninstalling and reinstalling them and referring to the new SSO server in the install.

What I started with:

2x vCenter servers with internal SSO in a single SSO domain with 2 sites.

Basically the first deprecated one in this kb: VMware KB:     List of recommended topologies for VMware vSphere 6.0.x

What I want: the 3rd recommended topology, but with only 1 vCenter server in each site

What I did:

1. Create 2x new VMs and installed SSO 5.5 Update 2e in a new SSO domain with 2 sites.

2. Uninstall vCenter, Inventory Service and Web Client

3. Install Web Client, Inventory Service, vCenter and point at the new SSO domain

4. Inplace upgrade the new SSO servers (one at a time) to PSC.

5. Inplace upgrade vCenter 5.5 (one at a time) to vCenter 6.0

6. Regenerate the root CA certificate and new machine/solutions certificates.

     a. On the PSC server run: "C:\Program Files\VMware\vCenter Server\vmcad\certificate-manager.bat"

     b. Option 4, enter cert details

     c. Restart services on vCenter server

     d. On the vCenter Server run: "C:\Program Files\VMware\vCenter Server\vmcad\certificate-manager.bat"

     e. Option 3, enter pass, PSC ip and cert details

     f. On the vCenter Server run: "C:\Program Files\VMware\vCenter Server\vmcad\certificate-manager.bat"

     g. Option 6, enter pass, PSC ip and cert details

I did the certificate part as the new SSO's dodgy 'CA, CN=...' format certificate was carried over to the PSC and I wanted to avoid future problems.  This procedure was quite easy and reliable, I'm impressed they've finally sorted out certificate management.

Also note that SSO config needs to be recreated as it's a new domain, my SSO configuration was very simple it just pointed at our AD domain so was easy.

This upgrade order follows this: http://pubs.vmware.com/vsphere-60/index.jsp#com.vmware.vsphere.upgrade.doc/GUID-FDF1D082-36EB-41EB-9...

I've done all these steps above except the upgrade of the 2nd vCenter server to v6 where I hit this error:  VMware KB:    Installing or Upgrade of vCenter Server 6.0 with an external Platform Service Controll...

The fix in the article worked, but then I've hit another error which based on the logs looks like an invalid role from an old Dell vCenter plugin I was testing a couple years back.  I need to clean that up and give it another try.
When the upgrade failed (2 hours into it) I reverted the snapshot of the vCenter server but hit SSO errors when trying to login.  I figured the registration got broken during the upgrade and I didn't want to roll back the linked PSC servers, an uninstall/reinstall of all vCenter 5.5 services got it working again.

I must've spent 2 weeks on this upgrade and still not there yet.. good luck.

Reply
0 Kudos
Chewie71
Contributor
Contributor

mattdon,

Ha! Yea I quickly came to the same realization.  I'm attacking it from a slightly different angle.  Instead of re-creating my old infrastructure first, I'm building a brand new vSphere 6 environment alongside the old setup.  Then I'm using a couple tools/scripts I found to export/import the data and reconnecting the hosts to the new setup.

VMware KB:    Exporting/importing/restoring Distributed Switch configs using vSphere Web client

Virtually Jason: Copying VM Folders and Permissions from One vCenter to Another

I've gotten one host, without VMs, moved over.  Today I will be moving a host with some test VMs to make sure they go over with no downtime.  If that works then I'll start moving hosts with production VMs.  So far this plan is working pretty well but I'm just starting step 6 so we'll see how the rest of it goes.

  1. Install new External PSC appliance.
  2. Install new vCenter 6 appliance
  3. Convert templates to VMs
  4. Export data from 5.5
  5. Import data into 6 - VMs with individual permissions will fail as they don't exist yet.
  6. One at a time, detach hosts and VMs from 5.5 and reattach to 6.0
  7. After hosts are attached and VMs are available, rerun the import data PS1 script to fix perms for the VMs that were still missing in step 5.
  8. Convert templates back
  9. Migrate VMs to correct folders.
  10. Upgrade vRealize Operations Manager to 6.0.1
  11. Upgrade vCenter Update Manager (probably a new install of this) to 6.0.0
  12. vRealize Log Insight to 2.5
  13. Rolling upgrade of clusters/hosts to ESXI 6.
  14. Upgrade vShield to 5.5.4
  15. Repeat step 1-12 for 2nd site
  16. Upgrade 2nd site clusters
  17. Upgrade Horizon View to 6.1
  18. Repeat steps 2-12 for VDI vCenter (VDI will use the new PSC appliance)
  19. Upgrade the VDI cluster
  20. Upgrade VDI appliances
  21. Shutdown and delete all old vCenter instances.



Matt


Reply
0 Kudos
JamesTein
Contributor
Contributor

s the problem solved ? I can think of something. Did you setup the java home variable as well as path variable correctly. This looks like java error or machine authentication issue :S



My webblog: felicitaciones para cumpleaños graciosas

Reply
0 Kudos
jpmoock
Contributor
Contributor

For anyone else that runs into this and is specifically trying to repoint to a new/different SSO, if you stand up your new SSO environment using 5.1 first, then upgrade it to 5.5, and then repoint, it should work.  5.1 will use certificates with subjects that will work with the repointing script, whereas 5.5 apparently does not.  It's also important to note that if you are have a multi-site or HA SSO environment, then SSO 5.1 must be installed on all nodes prior to upgrading them to 5.5, otherwise the fresh 5.5 install on the additional nodes will still use the bad certs.

Reply
0 Kudos
tonyjwood
Contributor
Contributor

I can confirm success by installing SSO 5.1 then upgrading to 5.5 and then re-pointing.  

Thanks

Tony

Reply
0 Kudos
DavidACap
Contributor
Contributor

Trying and getting the same errors - is there a specific version of 5.1 you upgraded from?

Thanks in advance!

Reply
0 Kudos