I'm working for a customer in a arge project upgrading from vsphere 5.1 to vsphere 5.5.
We want to setup a new SSO Instance and reconfigure the components to use the new one. To re-register the vCenter to the different SSO Instance, I tried to run the repoint.cmd (KB 2033620). Unfortunately I got an error regarding the path of the openssl executable. I copied the openssl files to the Java JRE folder (C:\Program Files\VMware\Infrastructure\jre) and afterwards it worked. Now I'm getting another error message saying
2015-01-27T11:54:26.932+0100 [c.v.s.c.c.WinSystemTrustStoreManager] INFO Saving CA certificate for C=US,CN=CA\, CN\=MYHOSTNAME\, dc\=vsphere\,dc\=local to C:\ProgramData\VMware\SSL\C=US,CN=CA\, CN\=MYHOSTNAME\, dc\=vsphere\,dc\=local
2015-01-27T11:54:26.946+0100 [c.v.s.cfg.ServiceCfgMain] ERROR Abnormal command failure: exception `C:\ProgramData\VMware\SSL\C=US,CN=CA\, CN\=MYHOSTNAME\, dc\=vsphere\,dc\=local (The system cannot find the path specified)' of type class java.io.FileNotFoundException
java.io.FileNotFoundException: C:\ProgramData\VMware\SSL\C=US,CN=CA\, CN\=MYHOSTNAME\, dc\=vsphere\,dc\=local (The system cannot find the path specified)
The Script ends with:
2015-01-27T11:54:26.979+0100 [c.v.s.cfg.ServiceCfgMain] INFO Return code is: InternalError / 254
2015-01-27T11:54:26.980+0100 [c.v.s.cfg.ServiceCfgMain] INFO END EXECUTION
It seems like there is something wrong with the path variables in the java script or they didn't get an value.
Could you please help me?
Thanks and regards,
Did you fix your problem ?
Did you setup the java home variable as well as path variable correctly. This looks like java error or machine authentication issue.
There's java exceptions in the message so java is working.
I hit this one today trying to repoint my vCenter to a freshly installed 5.5 SSO with a certificate automatically generated by the installer. The installation media I used (which is admittedly old but matches our production) is vCenter Server 5.5 Update 1a from VMware-VIMSetup-all-5.5.0-1750795-20140201-update01.iso
The repoint command downloads the CA certificate and saves it to C:\ProgramData\VMware\SSL\ and uses the information from the 'Subject' of the certificate for the filename.
The certificate information can be viewed by going to the lookup service with a web browser and looking at the certificate properties. eg: https://ssoserver:7444/lookupservice/sdk
A normal subject might be "CA" or "hostname.fqdn" or 'RSA Identity and Access Toolkit Root CA", these are ones I see in my production system from a 5.5 SSO that was upgraded 5.1 and from a fresh install of the SSO in vSphere 6 PSC.
However the certificate the 5.5U1a installer generated for the SSO CA had a subject with a country field "C= US" and a common name of "CA, CN=hostname, dc=vsphere,dc=local" so it looks like when java goes to write this filename it escapes the comma ',' character with a backslash '\' so, trying to write a file called "C=US,CN=CA\, CN\=hostname\, dc\=vsphere\,dc\=local" and windows won't allow a file with reserved characters such as the backslash and fails generating the exception.
So the fix? either generate new CA certificates for the SSO server, which is a huge pain, or install a new SSO which generates a certificate with a proper subject CN and repoint your vCenter at that which is what I did. I used a new vSphere PSC standalone on the VCSA.
I assume you've fixed or worked around this, so I'm leaving this detail here for others who might hit this problem.
So you Installed a new standalone vSphere 6 PSC, and then pointed your existing vSphere 5.5 Inventory and vCenters at it using the command line tools listed in the KB?
I tried a new standalone 5.5 SSO and I still get the stupid "Saving certificate..." error.
I need to split my SSO out from the "Simple" vCenter install to be able to continue to use linked mode between my sites so that's why I'm attempting this.
Sounds like you're in a similar situation, and yes, and at the time of my post I thought that it had worked.. but it didn't, I wasn't able to login to anything after all the services restarted. I've come to the conclusion that the repointing command Just Don't Work.
The only reliable way I could repoint vSphere 5.5 components to a new SSO was by uninstalling and reinstalling them and referring to the new SSO server in the install.
What I started with:
2x vCenter servers with internal SSO in a single SSO domain with 2 sites.
Basically the first deprecated one in this kb: VMware KB: List of recommended topologies for VMware vSphere 6.0.x
What I want: the 3rd recommended topology, but with only 1 vCenter server in each site
What I did:
1. Create 2x new VMs and installed SSO 5.5 Update 2e in a new SSO domain with 2 sites.
2. Uninstall vCenter, Inventory Service and Web Client
3. Install Web Client, Inventory Service, vCenter and point at the new SSO domain
4. Inplace upgrade the new SSO servers (one at a time) to PSC.
5. Inplace upgrade vCenter 5.5 (one at a time) to vCenter 6.0
6. Regenerate the root CA certificate and new machine/solutions certificates.
a. On the PSC server run: "C:\Program Files\VMware\vCenter Server\vmcad\certificate-manager.bat"
b. Option 4, enter cert details
c. Restart services on vCenter server
d. On the vCenter Server run: "C:\Program Files\VMware\vCenter Server\vmcad\certificate-manager.bat"
e. Option 3, enter pass, PSC ip and cert details
f. On the vCenter Server run: "C:\Program Files\VMware\vCenter Server\vmcad\certificate-manager.bat"
g. Option 6, enter pass, PSC ip and cert details
I did the certificate part as the new SSO's dodgy 'CA, CN=...' format certificate was carried over to the PSC and I wanted to avoid future problems. This procedure was quite easy and reliable, I'm impressed they've finally sorted out certificate management.
Also note that SSO config needs to be recreated as it's a new domain, my SSO configuration was very simple it just pointed at our AD domain so was easy.
This upgrade order follows this: http://pubs.vmware.com/vsphere-60/index.jsp#com.vmware.vsphere.upgrade.doc/GUID-FDF1D082-36EB-41EB-9...
I've done all these steps above except the upgrade of the 2nd vCenter server to v6 where I hit this error: VMware KB: Installing or Upgrade of vCenter Server 6.0 with an external Platform Service Controll...
The fix in the article worked, but then I've hit another error which based on the logs looks like an invalid role from an old Dell vCenter plugin I was testing a couple years back. I need to clean that up and give it another try.
When the upgrade failed (2 hours into it) I reverted the snapshot of the vCenter server but hit SSO errors when trying to login. I figured the registration got broken during the upgrade and I didn't want to roll back the linked PSC servers, an uninstall/reinstall of all vCenter 5.5 services got it working again.
I must've spent 2 weeks on this upgrade and still not there yet.. good luck.
Ha! Yea I quickly came to the same realization. I'm attacking it from a slightly different angle. Instead of re-creating my old infrastructure first, I'm building a brand new vSphere 6 environment alongside the old setup. Then I'm using a couple tools/scripts I found to export/import the data and reconnecting the hosts to the new setup.
I've gotten one host, without VMs, moved over. Today I will be moving a host with some test VMs to make sure they go over with no downtime. If that works then I'll start moving hosts with production VMs. So far this plan is working pretty well but I'm just starting step 6 so we'll see how the rest of it goes.
s the problem solved ? I can think of something. Did you setup the java home variable as well as path variable correctly. This looks like java error or machine authentication issue :S
My webblog: felicitaciones para cumpleaños graciosas
For anyone else that runs into this and is specifically trying to repoint to a new/different SSO, if you stand up your new SSO environment using 5.1 first, then upgrade it to 5.5, and then repoint, it should work. 5.1 will use certificates with subjects that will work with the repointing script, whereas 5.5 apparently does not. It's also important to note that if you are have a multi-site or HA SSO environment, then SSO 5.1 must be installed on all nodes prior to upgrading them to 5.5, otherwise the fresh 5.5 install on the additional nodes will still use the bad certs.