vCenter HA: Deploy vCenter

This post is part of a series on deploying Highly Available vCenter and Platform Services Controllers.

Part 1: vCenter HA: Deploy External Platform Services Controller

Part 2: vCenter HA: Configure NetScaler for External Platform Services Controllers

Part 3: vCenter HA: Replace Certificates for Platform Services Controllers

Part 4: vCenter HA: Connect Platform Services Controllers to Active Directory

Part 5: vCenter HA: Deploy vCenter

Part 6: vCenter HA: Replace Certificates for vCenter

Part 7: vCenter HA: License vCenter

Part 8: vCenter HA: Add and Configure Hosts and Clusters

Part 9: vCenter HA: Add and Configure Datastores and Datastore Clusters

Part 10: vCenter HA: Add and Configure Distributed Switches

Part 11: vCenter HA: Configure vCenter HA

Part 12+: Advanced Tasks (Coming soon)

 

Now that we have deployed and configured our highly available Platform Services Controllers, we can go ahead and deploy vCenter.

Pre-requisites:

Make sure you have assigned a static IP and DNS as you did for the Platform Services Controllers.

We are going to be doing vCenter HA so you want to make sure that you have three datastores dedicated to vCenter. ***Note: vCenter HA does not work with Datastore Clusters.

 

Go ahead and mount the ISO as you did before. Load the UI Installer directory and launch Installer.exe.

Click Install.

Click Next.

Continue reading

vCenter HA: Connect Platform Services Controllers to Active Directory

This post is part of a series on deploying Highly Available vCenter and Platform Services Controllers.

Part 1: vCenter HA: Deploy External Platform Services Controller

Part 2: vCenter HA: Configure NetScaler for External Platform Services Controllers

Part 3: vCenter HA: Replace Certificates for Platform Services Controllers

Part 4: vCenter HA: Connect Platform Services Controllers to Active Directory

Part 5: vCenter HA: Deploy vCenter

Part 6: vCenter HA: Replace Certificates for vCenter

Part 7: vCenter HA: License vCenter

Part 8: vCenter HA: Add and Configure Hosts and Clusters

Part 9: vCenter HA: Add and Configure Datastores and Datastore Clusters

Part 10: vCenter HA: Add and Configure Distributed Switches

Part 11: vCenter HA: Configure vCenter HA

Part 12+: Advanced Tasks (Coming soon)

 

Here we will be adding our Platform Services Controllers to Active Directory and configuring some initial roles.

Open your browser to:  https://hostname/psc/

Go ahead and log in with the default administrator for SSO. i.e. administrator@vsphere.local

Click Appliance Settings.

Click Manage.

Click Join.

Continue reading

vCenter HA: Replace Certificates for Platform Services Controllers

***UPDATED***

This post is part of a series on deploying Highly Available vCenter and Platform Services Controllers.

Part 1: vCenter HA: Deploy External Platform Services Controller

Part 2: vCenter HA: Configure NetScaler for External Platform Services Controllers

Part 3: vCenter HA: Replace Certificates for Platform Services Controllers

Part 4: vCenter HA: Connect Platform Services Controllers to Active Directory

Part 5: vCenter HA: Deploy vCenter

Part 6: vCenter HA: Replace Certificates for vCenter

Part 7: vCenter HA: License vCenter

Part 8: vCenter HA: Add and Configure Hosts and Clusters

Part 9: vCenter HA: Add and Configure Datastores and Datastore Clusters

Part 10: vCenter HA: Add and Configure Distributed Switches

Part 11: vCenter HA: Configure vCenter HA

Part 12+: Advanced Tasks (Coming soon)

 

In this section, we are going to be configuring CSRs, requesting certificates, and replacing them on our Platform Services Controllers. You will need to make sure that you have some kind of certificate authority available in your environment. We will be going over using a Microsoft CA to issue certificates. There is a KB article about how to configure this, but it doesn’t exactly work. Use this post:  Configure Microsoft CA Templates for VMware with SHA2-256

If you don’t have SHA2 then shame on you. You should get on it. Even if you replace your certificates with SHA1, you will still receive those pesky weak key errors in Chrome and Firefox. IE hasn’t deprecated SHA1, but its coming from what I understand.

You will need to download OpenSSL for Windows (unless you are using Linux).

Here is the link for Windows:  Win32 OpenSSL

Go ahead and download either the 32bit or 64bit Light version of 1.1.0e. Once it is downloaded, go ahead and install it.

Now that you have your Certificate Authority and OpenSSL ready to go, we will begin.

 

Here is an example config for OpenSSL:  psca.cfg

Download the example and modify it for your FQDNs for the servers and VIP.

Save the file to your OpenSSL\bin directory.

Open a command prompt and run the following command:

 

openssl req -new -nodes -out psca.csr -newkey rsa:2048 -keyout psca.key -config psca.cfg

Continue reading

vCenter HA: Configure NetScaler for Platform Services Controllers

This post is part of a series on deploying Highly Available vCenter and Platform Services Controllers.

Part 1: vCenter HA: Deploy External Platform Services Controller

Part 2: vCenter HA: Configure NetScaler for External Platform Services Controllers

Part 3: vCenter HA: Replace Certificates for Platform Services Controllers

Part 4: vCenter HA: Connect Platform Services Controllers to Active Directory

Part 5: vCenter HA: Deploy vCenter

Part 6: vCenter HA: Replace Certificates for vCenter

Part 7: vCenter HA: License vCenter

Part 8: vCenter HA: Add and Configure Hosts and Clusters

Part 9: vCenter HA: Add and Configure Datastores and Datastore Clusters

Part 10: vCenter HA: Add and Configure Distributed Switches

Part 11: vCenter HA: Configure vCenter HA

Part 12+: Advanced Tasks (Coming soon)

Here we are going to be configuring Citrix NetScalers to load balance our Platform Services Controllers.

I am using NS11.0 64.34.nc for my code version. It is mostly HTML5 which is amazing. Java is a no go for me.

Select an IP and configure the DNS settings to point at your load balanced FQDN.

Open your browser and point it at the NetScaler web interface. Log in once you are there.

Click the Configuration tab.

Click the Plus on Traffic Management.

Click the Plus on Load Balancing.

Click Servers.

Click Add.

Enter the name for the server.

Enter the IP address.

Click Create.

Do this for both Platform Services Controllers.

Continue reading

vCenter HA: Deploy External Platform Services Controller

This post is part of a series on deploying Highly Available vCenter and Platform Services Controllers.

Part 1: vCenter HA: Deploy External Platform Services Controller

Part 2: vCenter HA: Configure NetScaler for External Platform Services Controllers

Part 3: vCenter HA: Replace Certificates for Platform Services Controllers

Part 4: vCenter HA: Connect Platform Services Controllers to Active Directory

Part 5: vCenter HA: Deploy vCenter

Part 6: vCenter HA: Replace Certificates for vCenter

Part 7: vCenter HA: License vCenter

Part 8: vCenter HA: Add and Configure Hosts and Clusters

Part 9: vCenter HA: Add and Configure Datastores and Datastore Clusters

Part 10: vCenter HA: Add and Configure Distributed Switches

Part 11: vCenter HA: Configure vCenter HA

Part 12+: Advanced Tasks (Coming soon)

In this post, we are going to be focusing on deploying our external platform services controller for vCenter 6.5. You will need to make sure that you have a 6.5 host with a standard switch ready to go. You will also need to download the vCenter 6.5 ISO from the VMware site if you do not have it already.

VMware has definitely made improvements to the appliance installation and this one is the best by far. I like it a lot.

Make sure you have all your DNS settings correct on the host and your system you are deploying from otherwise the installation may fail.

Prerequisites:

Static IPs and DNS entries with reverse lookups for two Platform Service Controllers and one vCenter

Load Balancer of any kind. I will be using a Citrix NetScaler.

Mount the iso and navigate to the UI installer directory. From there, you need to run installer.exe.

Click Install.

Here you can see that VMware has now divided the installation of the appliance into two stages. This is helpful as you can do snapshots before the configuration just in case you have any issues.

Click Next.

Continue reading

Certificates…I hate them.

Updated:  Here is the link to actually configure the certificates:  Configure Microsoft CA Templates for VMware with SHA2-256

 

Now I realize that certificates are good and great and they keep our stuff from flying around the web in clear text, but I hate them and I also hate doing them for VMware.

Basically every KB article that VMware has for certificates just sucks. I have tried to get them updated and I have had no luck.

All of the articles are happy go lucky if you are on Windows 2003 with SHA1 in the most insecure environment ever, but I’m not.

This is what I have:

Windows 2012R2 AD controllers

Windows 2012R2 CA with SHA2 256 with a 2048 bit key

This is the KB I used:  VMware KB: 2112009

First of all, the video they included in the KB doesn’t match the god damn instructions. It just tells you to select “Windows 2008 Enterprise” for backwards compatibility.

Well guess what…the article references both Windows 2003 enterprise and Windows 2008 enterprise. Neither of those are real options. Its Windows XP/2003 or Windows 2008.

They are also referencing the CA OS only. What about the certificate recipient?! Is everything VMware just backwards compatible with 2003? Well that doesn’t seem secure at all.

Next the article goes on to say this: Note: If you have an encryption level higher than SHA1, select Windows Server 2008 Enterprise.

Oh really? Well it didn’t work for me. Also there are two options. The certificate authority and the certificate recipient. WHICH ONE ARE YOU TALKING ABOUT?

Jesus…Yeah I’m kind of mad. VMware needs some QA on their articles for sure.

Now I will admit…I probably don’t know as much about CAs and Certs that I should, but KB articles are for the uninformed people aka Knowledge Base. Not the people who know everything.

:rantover:

I have actually resolved the issue and I have posted a link at the top of this article.

 

Configure Microsoft CA Templates for VMware with SHA2-256

So now that I have finished my rant, I will show you how to successfully configure a template for VMware certificates.

So for this you need to have a 2008+ Microsoft Certificate Authority installed and ready to go.

This is the VMware KB and it is incomplete:  VMware KB: 2112009

Open the Certificate Authority snap-in.

Right click on Certificate Templates and click Manage.

Right click on Web Server and click Duplicate.

Screenshots:

Enter the names for the Template.

Select Windows 2008 for both options. (Not specific in the KB)

Check the box for Allow private key to be exported. (Not in the KB at all)

You need this if you are doing your CSRs through IIS since you will need the key.

Continue reading