Posts Tagged ‘single sign on’

LDAPS Identity Source for VMware vCenter Single Sign On 5.1

May 21, 2013

ldap-logo

Once you are done with installation of VMware vCenter 5.1; you will notice that vSphere 5.1 client wont let you login into your vCenter Server. Either you will need to configure a local admin ID on your vCenter Server or if you have an active directory (AD) running in your environment; you will need to link that to your vCenter Server i.e. by configuring an identity source.

During installation of vCenter Single Sign On 5.1; it tries to add the identity source but in my case resulted in error (Error 29155.Identity source discovery error). I then found out its the case with other users as well and also was pointed out in VMware in their KB articles. The workaround for the issue given was to add the identity source manually. Doing so I got the following errors.

[LDAP: error code 8 – 00002028: LdapErr: DSID-0C0901FC, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection, data 0, v1db1]

and

simple bind failed:yourdomain:636

These errors are due to the fact that your AD is configured to communicate over LDAPS SSL connection. Hence to register your identity source; you will need the X.509 certificate of your AD domain controller (DC). For that export the certificate of your AD but make sure its the Base-64 X509 Certificate.

Cert 03

Once imported; again add the identity source as demonstrated below.

LDAPS

Once you chose the certificate from Choose Certificate tab; make sure you get the following confirmation. If not there must be something wrong with your certificate.

certsucc

You can click on Test Connection to verify your AD connectivity.

connecsucc

If you are still facing problems in adding the identity source; make sure of he following things:

  • Your vCenter, vSphere, vSphere Web Client, vCenter SSO etc must all be installed in the same default directories.
  • Do add the port 3269 with your FQDN.
  • There must a proper forward and reverse pointer entry on your DNS for your vCenter Server.
  • Enter the complete user name for authentication e.g. user@domain.com
  • If your domain controller is behind a firewall; make sure you have configured a policy to allow vCenter traffic.
Advertisements

SQL Database Creation for vCenter 5.1 and vCenter Single Sign On 5.1

May 17, 2013

vmw_logo_1

I am not a database guy and always have avoided anything related to it. When installing VMware vCenter 5.1 or earlier; you are prompted to create a DB instance. You can carry on by creating a default instance of SQL Express (zero effort required; YES I have always done that). But doing so is not recommended in a production environment as the DB gets populated and there are limited options to purge/protect your logs. Hence installation of separate SQL server is recommended. For a dumb person like me VMware is kind enough to include scripts for the DB creation and permission rights are available in the setup package but I found that customization was required. Hence for all the linked-minded fellows out there; this post might be of some help.

There are basically two DB’s needed to be created. One for the vCenter and other for the vCenter Single Sign On (SSO). VMware has made a major change in vCenter 5.1 for with its mandatory to install the SSO module.

I used Microsoft SQL Server 2008 (Enterprise Edition) to carry on my installation. For the basic requirement; select the following features:

  • Database Engine Services.
  • Client Tools Connectivity.
  • Integration Services.
  • Management Tools Basic/Complete

Once installed. Open the SQL Database Enterprise Manager and create a New Query. Execute the following three scripts one by one. (WordPress wont let me upload .sql or .txt files hence bear with .doc extension 🙂 )

  1. VCENTER_DB_CREATION_SCRIPT
  2. SSO_RSA_DB_CREATION_SCRIPT_1
  3. SSO_RSA_DB_CREATION_SCRIPT_2

Once done with this; make sure to create the ODBC SYSTEM DSN for the vCetner DB (VCDB). Following are the steps to create the SYSTEM DSN.

  1. Go to ODBC DATA SOURCE ADMINISTRATOR from the Control Panel. Click the SYSTEM DSN tab from the top. Click ADD.DSN 01
  2. Double click SQL NATIVE CLIENTDSN 02
  3. Enter the NAME for the data source and the IP of the DB Server. Click NEXTDSN 03
  4. Select the SQL SERVER AUTHENTICATION OPTION and give the user (default: vpxuser) credentials (you provided in VCENTER_DB_CREATION_SCRIPT). Click NEXTDSN 04
  5. Make sure that VCDB database is selected in the CHANGE THE DEFAULT DATABASE TO tab. Click NEXTDSN 05
  6. Leave the default settings and click FINISHDSN 06
  7. You can verify your DB connectivity by clicking TEST DATA SOURCEdsn-07

DSN 08

After doing this; you can now proceed with your vCenter installation. Start the installation by clicking the vCenter Server Simple Install from the vCenter Setup Wizard.

During the SSO installation you will be asked to provide the DB details as illustrated below.  Provide the credentials you created in script SSO_RSA_DB_CREATION_SCRIPT_2.

Single Sign On 01

When the SSO and vCenter inventory setups get completed; the installation for the vCenter Server will begin. During the setup you will be again asked to provide the DB details. Select the radio tab for USE AN EXISTING SUPPORTED DATABASE and select the already created SYSTEM DSN (VCDB).  Make sure to enter the credentials you entered while you creating the SYSTEM DSN.

VCENTER 01

VCENTER 02

Thats all you need to configure the DB’s for your vCenter installation. I am personally done with my installation but now am stuck on a couple of up-gradation issues from 5.0 to 5.1. Hence in my next blog I will be writing on those issues.


%d bloggers like this: