Migrate vCenter Single Sign-On Service to vCenter Server
In this port we would see how to migrate vCenter Single Sign-On service to vCenter Server.
You can use same process to move SSO service to any other server.
Am in process to upgrade all servers from vCenter 5.5 u2 to vCenter 6.0 U1.
Currently vCenter 5.5 services are installed in distributed mode, where inventory and SSO services are running on different servers for each vCenter.
so as part of upgrade process my team has decided to go away from distributed vCenter installation and keep all vCenter services on one server only.
VMware has provided steps to migrate SSO service to external server but there are no clear process defined to migrate SSO service back to vCenter server where other vCenter services are running.
My Current production vCenter setup contains 2 vCenter 5.5 u2 servers deployed in US and India, Linked mode is configured and SSO is configured in multi site mode.
Each vCenter servers services are installed in distributed mode on 3 different servers.
Before I upgrade my production setup, I did testing in My LAB.
Server Setup -
vCenter -01
vlab-vc-sso01- This server is running vCenter SSO service
vlab-vc-inv01 - This servers is running vCenter inventory service
vlab-vc01 - This server is running all other vCenter services including update manager, web client.
Operating system - Windows 2008 R2
vCenter -02
vlab-vc-sso02- This server is running vCenter SSO service
vlab-vc-inv02 - This servers is running vCenter inventory service
vlab-vc02 - This server is running all other vCenter services including update manager, web client.
Operating system - Windows 2008 R2
So first we need to migrate SSO services from saperate sso server to vCenter server and then upgrade vCenter server to 6.0 u1.
Let's go step by step -
Before we start upgrade take the VMs snapshtos and backup of vCenter DB.
first we are going to upgrade first vCenter i.e. vlab-vc01.
1. Break linked mode between two vCenter servers
as traditional linked mode is no more supported in vCenter 6. you can skip this step if you don't have linked mode configured.
2. Install SSO service on vCenter server, in my case it is vlab-vc01.
a. check the vCenter server version and mount the same build ISO to install SSO service.
any other version may also work but its good to use same version.
b. Follow the reguler steps for installing SSO service on vCenter server.
c. select the first option 'vCenter SSO for your first vCenter server' during installation steps.
d. Select other option if you would like to join this sso to existing SSO domain/site.( this applies only if you have any other SSO server running with latest working production setup)
Once SSO service installation completes, process further.
3. Replace default SSL certificate of SSO service
With default CA signed certificate vCenter repoint process does not work. so you have to replace SSO certificate.
There are very good VMware KB articles on this, from KB follow the process to change certificate for SSO service.
Steps mentioned below are followed from VMware KB2033620
So you can refer above KB also.
4. Re-register vCenter Inventory Service with vCenter Single Sign-On
a.Login to server where inventory service is installed, in this example it is - vlab-vc-inv01
b. open command prompt with Administrator privileges
c. Run below commands
>cd C:\Program Files\VMware\Infrastructure\Inventory Service\scripts
>is-change-sso.bat https://vlab-vc01.vlabcorp.com:7444/lookupservice/sdk "administrator@vSphere.local" "Admin@sso"
>net stop vimQueryService
>net start vimQueryService
5. Register vCenter Server with a vCenter Single Sign-On
Login to vCenter server. - vlab-vc01
a.go to C:\Program Files\VMware\Infrastructure\VirtualCenter Server\ssoregtool
b. unzip sso_svccfg.zip file to sso_svccfg folder at same location
c. Copy openssl and other dll from vCenter inventory service server - C:\Program Files\VMware\Infrastructure\Inventory Service\bin to sso_svccfg folder.
d. Create inventory service directory structure on vCenter server.
mkdir C:\Program Files\VMware\Infrastructure\Inventory Service\bin
e. Open command prompt with Administrtor privilidges and run below command to repoint vCenter server to SSO server.
>cd C:\Program Files\VMware\Infrastructure\VirtualCenter Server\ssoregtool
>cd sso_svccfg
>repoint.cmd configure-vc --lookup-server https://vlab-vc01.vlabcorp.com:7444/lookupservice/sdk --user "administrator@vSphere.local" --password "Admin@sso" --openssl-path "C:\Program Files\VMware\Infrastructure\Inventory Service\bin/"
As we have installed SSO service on vlab-vc01 server I have provided --lookup-server url as vlab-vc01, if you have installed SSO on any other server you can change this url.
f. Restart vCenter server and webservice
Possibel errors -
a. if you get java related errors, please update java path in repoint.cmd file.
set JAVA_HOME=C:\Program Files\Common Files\VMware\VMware vCenter Server - Java Components\
b. if you get openssl errors, like openssl not found, make sure you have copied openssl files and created inventory folder strucutre on server.
c. if you get error of ssl certificate (....path now found.....)
make sure you have replaced SSL certificate of SSO service after installation.
d. cannot start vCenter service after reponitng to new SSO server, vpxd log file show that vCenter is unable to read SSL cert and private key file.
Open C:\ProgramData\VMware\VMware VirtualCenter\vpxd.cfg in text editor and make sure SSL certificate and private key file path is mentioned.
if certificate and proviate key values are null, vCenter service will not start.
<certificate>null</certificate> and
<privateKey>null</privateKey>
update certificate & private key file path as below and save vpxd.cfg file.
<solutionUser>
<certificate>C:\ProgramData\VMware\VMware VirtualCenter\SSL\rui.crt</certificate>
<name>vCenterServer_<random numbers></name>
<privateKey>C:\ProgramData\VMware\VMware VirtualCenter\SSL\rui.key</privateKey>
</solutionUser>
Once you start vCenter service successfully after repointing to SSO, process further.
6. Re-register vCenter Server with the Inventory Service
a. Login to vCenter server - vlab-vc01
b. Open command prompot with administraotr privilidges.
c. Run below commands
>cd C:\Program Files\VMware\Infrastructure\VirtualCenter Server\isregtool
>register-is.bat https://vlab-vc01.vlabcorp.com:443/sdk https://vlab-vc-inv01.vlabcorp.com:10443 https://vlab-vc01.vlabcorp.com:7444/lookupservice/sdk
d. restart vCenter server (RESTART server not service)
7. Register the vSphere Web Client with a vCenter Single Sign-On
a. Login to vCenter server - vlab-vc01
b. Open command prompt with administrator privileges.
c. Run below commands
> cd C:\Program Files\VMware\Infrastructure\vSphereWebClient\scripts
> client-repoint.bat https://vlab-vc01.vlabcorp.com:7444/lookupservice/sdk "administrator@vSphere.local" "Admin@sso"
8. Proceed further and upgrade vCenter to 6
Mount vCenter 6 ISO on vCenter server - vlab-vc01.
start upgrade process of vCenter server.
This will install Inventory service, upgrade SSO, upgrade/install all other vCenter services.
Once vCenter upgrade get finished, you can power off old Inventory and SSO server.
That is in my case, vlab-vc-ss01 and vlab-vc-sso01.
Now all vCenter services are running on same server - vlab-vc01.
9. Upgrade second vCenter server
Follow above same steps from 2 to 8 and upgrade second vCenter. in this case vlab-vc02.
While installing SSO on second server select multi site installation new sso server for same SSO domain for new vCenter, provide first SSO server hostname and SSO admin password.
10. Power Off old Inventory and SSO service server
Once second vCenter upgrades to vCenter 6, you can power off old SSO and inventory service.
as we have installed SSO in multi site mode, you can see both vCenter Hosts and VMs in web client.
I have 4 more vCenter servers running with distributed services installed but in separate SSO domain.
I will be following same process to upgrade them to 6.0 u1.
No comments:
Post a Comment