0 Replies Latest reply on Jan 14, 2016 2:44 PM by Nwconfig

    SSL Certificate Automation tool error Uninitialized Keystore

    Nwconfig Novice

      So I'm working off KB 2041600. I am attempting to upgrade certificates with new certs signed by our CA using the SSLAutomationTool 1.0.1

       

      I am pretty sure my certificates are correct. I have used Derek Seamons instructions in the past to generate my certificates manually and it has worked for other vCenter servers.

      I am following the planner output steps while, running ssl-updater.bat

      I was able to update Single sign-on

      I'm stuck on  Update the Inventory Service SSL Certificate

       

      screen capture of process:

       

      C:\SSLAutomationTool1.0.1>ssl-updater.bat

      ==================================================================
      Main menu

      Enter the action you want to run
         1. Plan your steps to update SSL certificates(Update Steps Planner)
         2. Generate Certificate Signing Requests
         3. Update Single Sign-On
         4. Update Inventory Service
         5. Update vCenter Server
         6. Update vCenter Orchestrator(vCO)
         7. Update vSphere Web Client and Log Browser
         8. Update vSphere Update Manager(VUM)
         9. End the update process and exit

      The chosen action is: 3

      ==================================================================
      3. Update the Single Sign-On SSL Certificate

           1. Update the Single Sign-On SSL Certificate
           2. Rollback to the previous Single Sign-On SSL Certificate
           3. Return to the main menu to update other services

      The chosen service is: 1
      [Wed 01/13/2016 - 15:21:19.22]: The services that are restarted as a part of thi
      s operation are: vCenter Single Sign-On (if it is stopped it won't be started).
      Enter location to the new Single Sign-On SSL chain: C:\SSLAutomationTool1.0.1\re
      quests\vCenterSSO-acfwinsvvc01\chain.pem
      Enter location to the new Single Sign-On private key: C:\SSLAutomationTool1.0.1\
      requests\vCenterSSO-acfwinsvvc01\rui.key
      Enter the Single Sign-On master password (will not be echoed):
      Do you have a load balancer installed? (yes/no): no
      [.] WARNING: Certificate's `CN=acfwinsvvc01.prod.gao.gov, OU=vCenterSSO-acfwinsv
      vc01, O=gao, L=Washington, ST=DC, C=US' signature uses weak one-way hash (SHA-1)
      . In a secure environment it is recommended to use SHA2-256 or a stronger hash algorithm.
      [.] Found vCenter Single Sign-On Server installation in: C:\Program Files\VMware\Infrastructure\SSOServer\
      [.] Verifying master password.
      [.] The vCenter Single Sign-On service is currently running but it must be stopped in order to perform the SSL certificate update operation.
      [.] Waiting for service ssotomcat to stop, 15 seconds.
      [.] Service stopped successfully.
      [.] Beginning certificate replacement procedure for Single Sign-On.
      [.] The existing configuration will be backed up to C:\SSLAutomationTool1.0.1\backup\sso-ssl-updater.backup
      [.] Running: C:\Program Files\VMware\Infrastructure\SSOServer\utils\rsautil.cmd-S configure-riat -a configure-ssl --master-password ***hidden*** --private-key-
      alias server --keystore-file C:\Program Files\VMware\Infrastructure\SSOServer\security\server-identity.jks --keystore-type JKS --keystore-password ***hidden***
      --truststore-file C:\Program Files\VMware\Infrastructure\SSOServer\security\root-trust.jks --truststore-type JKS --truststore-password ***hidden***
      [   >
      [   > Executing action: 'configure-ssl'
      [   >
      [   > Updating SSL configuration
      [   >
      [   > Successfully executed action: 'configure-ssl'
      [   >
      [.] Exit status: 0
      [.] Updating the SSO endpoints in the Lookup Service.
      [.] This is Single Sign-On single-node install. All Single Sign-On endpoints are served from this node.
      [.] Starting vCenter Single Sign-On service.

      [Wed 01/13/2016 - 15:30:35.79]: Last operation update Single Sign-On SSL certificate completed successfully.
      [Wed 01/13/2016 - 15:30:35.82]: Go to the next step in the plan that was received from Update Steps Planner.

      ==================================================================
      3. Update the Single Sign-On SSL Certificate

           1. Update the Single Sign-On SSL Certificate
           2. Rollback to the previous Single Sign-On SSL Certificate
           3. Return to the main menu to update other services

      The chosen service is: 3

      ==================================================================
      Main menu

      Enter the action you want to run
         1. Plan your steps to update SSL certificates(Update Steps Planner)
         2. Generate Certificate Signing Requests
         3. Update Single Sign-On
         4. Update Inventory Service
         5. Update vCenter Server
         6. Update vCenter Orchestrator(vCO)
         7. Update vSphere Web Client and Log Browser
         8. Update vSphere Update Manager(VUM)
         9. End the update process and exit

      The chosen action is: 4

      ==================================================================
      4. Update the Inventory Service SSL Certificate

           1. Update the Inventory Service Trust to Single Sign-On
           2. Update the Inventory Service Trust to vCenter Server
           3. Update the Inventory Service SSL Certificate
           4. Rollback to the previous Inventory Service SSL Certificate
           5. Return to the main menu to update other services

      The chosen service is: 1
      [Wed 01/13/2016 - 15:41:03.53]: The services that are restarted as a part of this operation are: vCenter Inventory Service.

      [Wed 01/13/2016 - 15:41:33.60]: Last operation update Inventory Service trust to Single Sign-On completed successfully.
      [Wed 01/13/2016 - 15:41:33.61]: Go to the next step in the plan that was received from Update Steps Planner.

      ==================================================================
      4. Update the Inventory Service SSL Certificate

           1. Update the Inventory Service Trust to Single Sign-On
           2. Update the Inventory Service Trust to vCenter Server
           3. Update the Inventory Service SSL Certificate
           4. Rollback to the previous Inventory Service SSL Certificate
           5. Return to the main menu to update other services

      The chosen service is: 3
      [Wed 01/13/2016 - 15:42:03.49]: The services that are restarted as a part of this operation are: vCenter Inventory Service.
      Enter the location to the new Inventory Service SSL cert file: C:\SSLAutomationTool1.0.1\requests\vCenterInventoryService-acfwinsvvc01\rui.crt
      Enter the location to the new Inventory Service private key: C:\SSLAutomationTool1.0.1\requests\vCenterInventoryService-acfwinsvvc01\rui.key
      Enter the Single Sign-On Administrator user: admin@System-Domain
      Enter the Single Sign-On Administrator password (will not be echoed):

      Exception in thread "main" java.security.KeyStoreException: Uninitialized keystore
              at java.security.KeyStore.aliases(Unknown Source)
              at java.security.cert.PKIXParameters.<init>(Unknown Source)
              at java.security.cert.PKIXBuilderParameters.<init>(Unknown Source)
              at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)

              at sun.reflect.NativeConstructorAccessorImpl.newInstance(Unknown Source)

              at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Unknown Source)
              at java.lang.reflect.Constructor.newInstance(Unknown Source)
              at org.codehaus.groovy.reflection.CachedConstructor.invoke(CachedConstructor.java:77)
              at org.codehaus.groovy.runtime.callsite.ConstructorSite$ConstructorSiteNoUnwrapNoCoerce.callConstructor(ConstructorSite.java:102)
              at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCallConstructor(CallSiteArray.java:54)
              at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callConstructor(AbstractCallSite.java:182)
              at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callConstructor(AbstractCallSite.java:194)
              at com.vmware.sso.cfg.components.impl.ServerSslConfigFactoryImpl.expandToTrustedChain(ServerSslConfigFactoryImpl.groovy:448)
              at com.vmware.sso.cfg.components.impl.ServerSslConfigFactoryImpl.this$2$expandToTrustedChain(ServerSslConfigFactoryImpl.groovy)
              at com.vmware.sso.cfg.components.impl.ServerSslConfigFactoryImpl$this$2$expandToTrustedChain.callCurrent(Unknown Source)
              at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCallCurrent(CallSiteArray.java:46)
              at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callCurrent(AbstractCallSite.java:133)
              at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callCurrent(AbstractCallSite.java:141)
              at com.vmware.sso.cfg.components.impl.ServerSslConfigFactoryImpl.loadCertChainFromStream(ServerSslConfigFactoryImpl.groovy:228)
              at com.vmware.sso.cfg.components.impl.ServerSslConfigFactoryImpl.this$2$oadCertChainFromStream(ServerSslConfigFactoryImpl.groovy)
              at com.vmware.sso.cfg.components.impl.ServerSslConfigFactoryImpl$this$2$loadCertChainFromStream.callCurrent(Unknown Source)
              at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCallCurrent(CallSiteArray.java:46)
              at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callCurrent(AbstractCallSite.java:133)
              at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callCurrent(AbstractCallSite.java:141)
              at com.vmware.sso.cfg.components.impl.ServerSslConfigFactoryImpl.loadCertChain(ServerSslConfigFactoryImpl.groovy:186)
              at com.vmware.sso.cfg.components.impl.ServerSslConfigFactoryImpl.this$2$loadCertChain(ServerSslConfigFactoryImpl.groovy)
              at com.vmware.sso.cfg.components.impl.ServerSslConfigFactoryImpl$this$2$loadCertChain.callCurrent(Unknown Source)
              at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCallCurrent(CallSiteArray.java:46)
              at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callCurrent(AbstractCallSite.java:133)
              at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callCurrent(AbstractCallSite.java:141)
              at com.vmware.sso.cfg.components.impl.ServerSslConfigFactoryImpl.load(ServerSslConfigFactoryImpl.groovy:122)
              at com.vmware.sso.cfg.components.ServerSslConfigFactory$load.call(Unknown Source)
              at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCall(CallSiteArray.java:42)
              at org.codehaus.groovy.runtime.callsite.AbstractCallSite.call(AbstractCallSite.java:108)
              at org.codehaus.groovy.runtime.callsite.AbstractCallSite.call(AbstractCallSite.java:120)
              at com.vmware.sso.cfg.ValidateChainMain.main(ValidateChainMain.groovy:58
      )

      [Wed 01/13/2016 - 15:47:35.64]: Last operation update Inventory Service SSL certificate failed :
      [Wed 01/13/2016 - 15:47:35.66]: