Search the VMware Knowledge Base (KB)
View by Article ID

Validating and correcting errors for an upgraded VMware vCenter Server using the SSL Certificate Automation Tool (2048202)

  • 33 Ratings

Symptoms

  • When running the SSL Certificate Automation Tool, you see a warning similar to:

    Warning: Different certificates are being used for SSL and Solution users.
    Manual intervention is required. For details, see KB 2048202.
    After performing the steps described in the KB article, continue with this operation.

    Do you want to continue?


  • VMware vCenter Server was upgraded from vCenter Server 5.0 or earlier and SSL certificates were previously replaced for all components.

Purpose

This article provides steps to validate the accuracy of the message the SSL Certificate Automation Tool displays. It provides steps to replace the vCenter Server SSL certificates when using the SSL Certificate Automation Tool when necessary.

Cause

The SSL Certificate Automation Tool automates the process of installing custom certificates for vCenter Server 5.1 environments. In a new installation of vCenter Server including all of the subsequent components, the configuration is simplified.

This issue occurs during upgrades depending on the initial configuration of the system. Inconsistencies are introduced that frequently occur in configurations using non-default certificates that the tool cannot solve without intervention. The SSL Certificate Automation Tool takes into account many of these different situations to prevent failure during the implementation. In certain situations manual intervention is required to ensure successful installation of certificates.

Resolution

Before performing any steps to replace the vCenter Server SSL certificates, validate the accuracy of the message the SSL Certificate Automation Tool displays.
 
When all three of these validation steps are true, proceed with the resolution. If any one of the three steps is not true, ignore the message and select the option to continue the operation with the SSL Certificate Automation Tool.
 
To validate the accuracy of the message the SSL Certificate Automation Tool displays:
  1. Verify that the sso.crt, sso.key and sso.pfx files are present. By default, the files are located at:

    For Windows 2008: C:\ProgramData\VMware\VMware VirtualCenter\SSL\
    For Windows 2003: C:\Documents and Settings\All Users\Application Data\VMware\VMware Virtualcenter\SSL\

  2. Verify that sso.crt and sso.key are configured in the vpxd.cfg file. By default, the vpxd.cfg file is located at:

    For Windows 2008: C:\ProgramData\VMware\VMware VirtualCenter\
    For Windows 2003: C:\Documents and Settings\All Users\Application Data\VMware\VMware Virtualcenter\

    Look for this text in the vpxd.cfg file:

    <solutionUser>
    <certificate>C:\ProgramData\VMware\VMware VirtualCenter\ssl\sso.crt</certificate>
    <name>vCenterServer_YYYY.MM.DD_######</name>
    <privateKey>C:\ProgramData\VMware\VMware VirtualCenter\ssl\sso.key</privateKey>
    </solutionUser>

  3. Verify that there are separate certificates configured for solutionUser and endpoint0 in the vcsso.properties file. By default, the vcsso.properties file is located at C:\Program Files\VMware\Infrastructure\VirtualCenter Server\ssoregtool\.

    Look for this text in the vcsso.properties file:

    [solutionUser]
    name=vCenterServer_YYYY.MM.DD_######
    cert=C:\ProgramData\VMware\VMware VirtualCenter\SSL\sso.crt
    description=vCenter Server
    ..
    [endpoint0]
    uri=https://fqdn.com:443/sdk
    ssl= C:\ProgramData\VMware\VMware VirtualCenter\SSL\rui.crt
    protocol=vmomi

Use these steps when all three items have been validated in your environment

 
To resolve this issue when all three items have been validated in your environment, replace the vCenter Server SSL certificates when using the SSL Certificate Automation Tool.
 
To replace the vCenter Server SSL certificates when using the SSL Certificate Automation Tool:
  1. Log in to the vCenter Single Sign-On (SSO) server and open a command prompt.
  2. Set the JAVA_HOME environment variable, run the command:

    vCenter Server 5.1:

    SET JAVA_HOME=C:\Program Files\VMware\Infrastructure\jre

    vCenter Server 5.5:

    SET JAVA_HOME=C:\Program Files\Common Files\VMware\VMware vCenter Server - Java Components\

    Note: This is the default installations path, changes to the path syntax may  be required.

  3. Navigate to the ssolscli.cmd directory. By default, this is located at:

    vCenter Server 5.1:

     C:\Program Files\VMware\Infrastructure\SSOServer\ssolscli\

    vCenter Server 5.5:

    C:\Program Files\VMware\Infrastructure\VMware\CIS\vmware-sso\

  4. Run this command to identify service details for the configuration:

    ssolscli.cmd listServices https://ssoserver.domain.com:7444/lookupservice/sdk

    Where ssoserver.domain.com is the fully qualified domain name of the vCenter SSO Server.

  5. Locate the vCenter Server service information.

    Example service configuration:

    Service 4
    -----------
    serviceId={A4EEF3E6-9129-4545-9CD9-3B42F0E29350}:7
    serviceName=vCenterService
    type=urn:vc
    endpoints={[url=https://vcserver.domain.com:443/sdk,protocol=vmomi]}
    version=5.1
    description=vCenter Server
    ownerId=vCenterServer_YYYY.MM.MM_######@System-Domain
    productId=<null>
    viSite={A4EEF3E6-9129-4545-9CD9-3B42F0E29350}



    Note: If there are multiple vCenter Servers listed in the service information, make sure that you are looking at the correct vCenter Server service information by checking the endpoint URL.

  6. Locate the vCenter Server application user by reviewing the service configuration output. Find the line matching this, from the output referred to in the previous step:

    ownerId=vCenterServer_YYYY.MM.MM_######@System-Domain

  7. Run this command to remove the application user:

    ssolscli unregisterSolution -d https://ssoserver.domain.com:7444/lookupservice/sdk -u admin@system-domain -p password -su vCenterServer_YYYY.MM.MM_######

    Where ssoserver.domain.com is the fully qualified domain name of the vCenter SSO Server and password is your admin@system-domain password.


    Note: Do NOT carry over the @System-Domain from Step 6. ONLY carry over vCenterServer_YYYY.MM.MM_######

  8. Open Notepad and copy the serviceId information from the output of step 4 into a new text file. The only text in the file must be the service ID, for example:

    {A4EEF3E6-9129-4545-9CD9-3B42F0E29350}:7

  9. Save the file as:

    C:\Program Files\VMware\Infrastructure\SSOServer\service.id

  10. Unregister vCenter Server from the Lookup Service by running this command:

    ssolscli unregisterService -d https://ssoserver.domain.com:7444/lookupservice/sdk -u admin@system-domain -p password -si "C:\Program Files\VMware\Infrastructure\SSOServer\service.id"

    Where ssoserver.domain.com is the fully qualified domain name of the vCenter SSO Server and password is your admin@system-domain password.

  11. Log into the vCenter Server and open a command prompt.
  12. Set the JAVA_HOME environment variable by running this command:

    SET JAVA_HOME=C:\Program Files\VMware\Infrastructure\jre

  13. Navigate to the vpxd.cfg configuration file. By default, this file is located at:

    • For Windows 2008: C:\ProgramData\VMware\VMware VirtualCenter\
    • For Windows 2003: C:\Documents and Settings\All Users\Application Data\VMware\VMware Virtualcenter\

  14. Edit the vpxd.cfg file in Notepad and remove the lines that reference the solution user certificate.

    Remove these lines:

    <certificate>C:\ProgramData\VMware\VMware VirtualCenter\SSL\sso.crt</certificate>
    <privateKey>C:\ProgramData\VMware\VMware VirtualCenter\SSL\sso.key</privateKey>


  15. Navigate to the vcsso.properties file. By default, this is located in the C:\Program Files\VMware\Infrastructure\VirtualCenter Server\ssoregtool\ folder.
  16. Edit the vcsso.properties file in Notepad and replace the reference to sso.crt with rui.crt.

    For example, change this:

    [solutionUser]
    name=vCenterServer_YYYY.MM.MM_######
    cert=C:\ProgramData\VMware\VMware VirtualCenter\SSL\sso.crt
    description=vCenter Server


    to:

    [solutionUser]
    name=vCenterServer_YYYY.MM.MM_######
    cert=C:\ProgramData\VMware\VMware VirtualCenter\SSL\rui.crt
    description=vCenter Server


  17. Stop the VMware VirtualCenter Server service.
  18. Navigate to the C:\Program Files\VMware\Infrastructure\VirtualCenter Server\ssoregtool\ folder.
  19. Extract the sso_svccfg.zip file.
  20. In a command prompt window, navigate to the C:\Program Files\VMware\Infrastructure\VirtualCenter Server\ssoregtool\ folder.
  21. Re-register vCenter Server to vCenter Single Sign-On by running this command:

    repoint.cmd configure-vc --lookup-server https://ssoserver.domain.com:7444/lookupservice/sdk --user "admin@System-Domain" --password "password" --openssl-path "C:\Program Files\VMware\Infrastructure\Inventory Service\bin/"

    Where ssoserver.domain.com is the fully qualified domain name of the vCenter SSO Server and password is your admin@system-domain password.

    Note: If vCenter Server has been installed in a non-default location, use this command: 

    repoint.cmd configure-vc --lookup-server https://ssoserver.domain.com:7444/lookupservice/sdk --user "admin@System-Domain" --password "password" --openssl-path "C:\Program Files\VMware\Infrastructure\Inventory Service\bin/" --vc-install-dir "D:\Program Files\VMware\Infrastructure\VirtualCenter Server"

    --vc-install-dir, is the location where vCenter Server is installed, this example uses the D: drive.

  22. On the vCenter Server, start the VMware VirtualCenter Server and VMware VirtualCenter Management Webservices services.

After these steps are completed, return to the SSL Certificate Automation Tool and continue with the certificate implementation as shown in the update plan.

See Also

Request a Product Feature

To request a new product feature or to provide feedback on a VMware product, please visit the Request a Product Feature page.

Feedback

  • 33 Ratings

Did this article help you?
This article resolved my issue.
This article did not resolve my issue.
This article helped but additional information was required to resolve my issue.

What can we do to improve this information? (4000 or fewer characters)




Please enter the Captcha code before clicking Submit.
  • 33 Ratings
Actions
KB: