Installing vCAC 6.0.1.1 – Part 4: Deploying The vPostgres Appliance

In this part of the install guide we will be deploying the vPostgress Virtual Appliance.  In a regular, simple, install of vCAC the vCAC appliance would be configured to use the embedded database.  However, when scaling out or going Distributed you should use a desperate appliance for high availability and performance reasons.  This is completely overkill for the lab but it is how I’d do it in ‘real life’ so I’m going to do it regardless.

Step 1: Deploy the OVF file.

Log in to your vCenter Server via the Web Client (you don’t HAVE to use the web client but the good old c# client WILL be going soon so you might as well get used to it even though it’s a lot of unnecessary pain).

SnapCrab_NoName_2015-2-27_16-3-11_No-00

You can deploy an OVF Template by right clicking the root of your vCenter and selecting the Deploy OVF Template option. NOTE: at this point I had to install the Client Integration Plugin for my browser (Sign)…

Browse to the location  of your OVF file (VMware-Postgres-appliance-9.3.2.0-1551188_OVF10.ova) and select Next.

SnapCrab_NoName_2015-2-27_16-8-2_No-00Under the Review Details windows you’ll have to tick the box accepting the Extra Configuration Options to be able to proceed. Click Next.

SnapCrab_NoName_2015-2-27_16-10-2_No-00

Accept the usual EULA related stuff and Click Next.  Now, name the appliance, place it in the host and folder of your choice and configure the networking.  Be sure to change the IP addressing from DHCP to manual so you can assign it a static address.  Also remember to go and add an entry in to DNS for the appliance.  Finally you will have to set a password (do not lose this) and you’ll be able to see a summery of the information just before it is ready to deploy.

SnapCrab_NoName_2015-2-27_16-13-29_No-00

Click finish and the VM will go off and deploy itself. Once deployed and turned on open a console to the appliance to check to see when it has completed it’s first time boot process and that everything configured has stuck (IP address).

Step 2: Configure the Appliance

Now navigate to: https://vcacpsql01.lab.local:5480 (in my case, obviously) and log on using Username: root with Password: <defined in OVF setup>.  The web interface now loads.  In the system tab change the Timezone to be that relevant to you.  Remember to click Save Settings.

SnapCrab_NoName_2015-2-27_16-51-14_No-00Now, head over to the tab and check that all the settings are correct and as intended. Amend and add if necessary and save your settings.SnapCrab_NoName_2015-2-27_16-53-22_No-00

Exit the web interface and open up a VMware Remote Console to the PostgreSQL Appliance.  Log on using root / <defined password> as before.

SnapCrab_NoName_2015-2-27_16-55-26_No-00

Step 3: Prepare the PSQL Database

We now need to prepare the database for vCAC.  Enter the following commands in sequence to do this. Be aware that the console is using the ‘wrong’ keyboard layout if you are using a regular UK keyboard.  If you’ve not used PSQL before pay special care to remember to include the ‘;’ at the end of each command line.

su – postgres
psql
CREATE USER vpxuser WITH NOCREATEDB NOCREATEROLE NOCREATEUSER INHERIT LOGIN ENCRYPTED password '<insert password here>';
CREATE DATABASE vcac WITH OWNER vpxuser;
CREATE EXTENSION "hstore";
CREATE EXTENSION "uuid-ossp";
\q
exit
exit

You can now close the connection to the appliance.

NOTE: At this point I recommend shutting down the PSQL appliance and taking a SNAPSHOT of it after this initial configuration.  If anything goes wrong later this is a perfect point to have a snapshot.

k

Advertisements

Installing vCAC 6.0.1.1 – Part 3: Certificates Prep and Configuration (Continued)

Continuing from the previous posts. Here we shall generate the certificates used for the vCAC appliances.

Step 5: Install Open SSL

VMware requires that a very specific version of Open SSL is installed for use with vCAC 6.0.1.1 appliances and components.  In this instance we have to use Open SSL v0.9.8zb as anything from the 1.x stack is not supported in this version.  This version of 0.9.8 is a patched version that is NOT vulnerable to the security flaws that prompted the 1.x version release.

Prior to installing Open SSL on your issuing CA (again, in my lab this is the DC running MS Certificate Services).  you need to ensure the per-requisites for Installing OpenSSL have been met.  In this case it is the downloading and instillation of Visual C++ 2008 Redistributable.  This is available from Microsoft (vcredist_x86.exe).

So, first off install that pre-req and then download and install Win32OpenSSL-0_9_8zb.exe

The instillation of Open SSL is mostly a ‘Keep Clicking Next affair’ However, as outlined below you should ensure that the Open SSL binaries are stored in the /bin directory and NOT the Windows system directory.  It makes things MUCH easier later and allows things to happen automatically.

SnapCrab_NoName_2015-2-27_14-5-59_No-00Step 6: Issue SSL Certificates for the vCAC and SSO Appliances

Open a PowerShell windows and make a new directory as shown and then launch the certificates Manager console. Or do it via Windows Explorer if you like.

md C:\Certificates\vCAC
certmgr.msc

Expand the Trusted Root Certification Authority and then select Certificates.  You should be able to see the Root certificate for the Authority. SnapCrab_NoName_2015-2-27_14-20-37_No-00Now, in the details pane, right click on your created Root Certificate (In my case LabDC01-EntRootCA) and select All Tasks > Export

SnapCrab_NoName_2015-2-27_14-16-26_No-00The Export wizard will open up. Follow the process ensuring that the certificate is exported in Base-64 encoded X-509(.CER) format (shown below).

SnapCrab_NoName_2015-2-27_14-18-37_No-00

Then save the file in the C:\Certificates\vCAC folder as Root64-1.cer and complete the wizard. Note that the names of the folders and files here refers to commands we will soon be executing.  If this was in an offline root CA  with an online issuing CA there would be a second root certificate in the chain of trust and this would also have to be exported (hence the ‘-1’ at the end of the certificates file name).

SnapCrab_NoName_2015-2-27_14-19-13_No-00The requirements for vCAC certificates are long and specific.  Luckily a guy called Ross Davies has created a PowerShell script that will do all the Open SSL stuff for you.  All you have to do is enter a few variables and the hard work is done! (I’m really not a regular user of Open SSL so this was a godsend).  Check out his post http://www.rossdavies.info/blog/2014/01/02/vcloud-automation-center-vcac-6-0-generate-certificates/ to get the script and see how he made it.

Below is the user variable area of the script with my values plugged in. Ensure you have the $CertOutputPath and $OpenSslInstallDir are correct before running the script.  Also note that there are NO SPACES in the Certificate Template name as the template name is created without spaces regardless of the friendly name given.

# Path to directory to store created certificates
$CertOutputPath = "C:\Certificates\vCAC"

# OpenSSL location
$OpenSslInstallDir = "C:\OpenSSL"

# CA Name
$CAName = "LabDC01\LabDC01-EntRootCA"

# Certificate Template Name
$CertificateTemplateName = "VMwareSSLCertificate"
#
$CertificateCountryName = "GB"
$CertificateStateOrProvinceName = "London"
$CertificateLocalityName = "London"
$CertificateOrganizationName = "Lab"
$CertificateOrganizationalUnitName = "Dev"

When the script is run it simply asks a few questions (shown below) all revolve around Subject Alternate Names (SAN) values for the certificates.  vCAC gets really, REALLY sniffy about these values existing so it is best to put in all names you can think of here.  NOTE: The common Name must be FQDN, the SANs are DNS names and entries.  Normally I wouldn’t put the IP address as an entry here but this is a lab environment so I want a fail back if I mes my DNS up!SnapCrab_NoName_2015-2-27_15-1-5_No-00The script will do some OpenSSL goodness and then ask you if the Root CA certificate is in the correct location.  Check that the Root64-1.cer is there and then select Yes.

SnapCrab_NoName_2015-2-27_15-4-26_No-00Again, Magic will happen and the following confirmation should appear:

SnapCrab_NoName_2015-2-27_15-6-5_No-00The same steps are required now for the vCAC Virtual Appliances.  As before, ensure the SANs are entered correctly and thoroughly.  Remember that, in a distributed environment the main address for the vCAC VA will be the load balancer address / DNS entry.

SnapCrab_NoName_2015-2-27_15-9-5_No-00Again, a confirmation will appear (shown below) if everything has gone right.SnapCrab_NoName_2015-2-27_15-10-55_No-00To check everything has run correctly you can take a look in c:\Certificates\vCAC and you should see two new folders created (vCAC-SSO and vCAC-vAPP).  These folders will contain numerous files within making up the certificates in the right formats for importing in to the vCAC appliances.

SnapCrab_NoName_2015-2-27_15-16-44_No-00That’s it. We are now done with certificates and can get on with Installing the vCAC appliances.

ok

Installing vCAC 6.0.1.1 – Part 2: Certificates Prep and Configuration

When installing vCAC in a distributed / load balanced way it is not possible to use self-signed certificates to get everything working correctly (wildcard certs are not supported either).  Therefore, correct certificates have to be generated for your environment and then issued for the various vCAC components.  In a production environment the Public Key Infrastructure (PKI) would ideally be an Offline Root CA server with a second server provisioned as an Online Issuing Certificate Authority.  In my lab environment I don’t have the capacity for this so my online Domain controller will be an Enterprise Root CA. There wont be a secondary issuing server.  I will also assume that you are setting up a PKI for the first time and it’s not already installed

Step 1: Create A CAPolicy.inf File

Before installing Active Directory Certificate Services you can create a CAPolicy.inf file that defines certain default values you want the PKI to adhere to.  In my case i was strong encryption with long validity so I don’t ever have to worry about replacing anything later.

The file should be created as %windir%\CAPolicy.inf and contain the values you require.  In my case it looks like:

[Version] 
Signature="$Windows NT$" 
  
[Certsrv_Server] 

Renewalkeylength=4096 
RenewalValidityPeriod=Years 
RenewalValidityPeriodUnits=40 

CRLPeriod=Years 
CRLPeriodUnits=20 
CRLDeltaPeriod=Days 
CRLDeltaPeriodUnits=0

This specifies a key length of 4096 bit (strong) with a 40 year validity period and a 20 year period for Certificate Revocation Lists.  Delta CRLs are disabled for simplicity!

NOTE: I believe this file is only used if the GUI configuration of the CA is followed.  If using PS as below these settings need to be configured manually.

Step 2: Install Active Directory Certificate Services

I prefer to add features to Windows using PowerShell as it means I don’t have to keep clicking Next every few seconds. The commands I use going forward only work on Windows Server 2012 upwards (sorry).  If you are running 2008R2 or older you’ll have to install the roles and features the old way. Also note that the method below requires the server I am installing on be a Domain Controller.

To install AD-CS Open up a PowerShell Window (ensure it’s running as an administrator) and run the command:

SnapCrab_NoName_2015-2-26_16-35-0_No-00Install-WindowsFeature -name AD-Certificate -IncludeManagementTools

This will install the feature pretty quickly.  A progress bar will appear if the command works:

SnapCrab_NoName_2015-2-26_16-35-51_No-00Then, upon successful install, a confirmation message is shown:

SnapCrab_NoName_2015-2-26_16-36-7_No-00All this has done is install the feature.  The server still needs to be configured as an Enterprise Root CA.  Firstly we run the PS command below to setup the server as an Online Enterprise Root CA:

Install-AdcsCertificationAuthority -CAType EnterpriseRootCA -KeyLength 4096 -HashAlgorithmName SHA1 -ValidityPeriod Years -ValidityPeriodUnits 40 -CACommonName "LabDC01-EntRootCA" -CADistinguishedNameSuffix "DC=lab,DC=local" -CryptoProviderName "Microsoft Strong Cryptographic Provider"

Remember, you can use the –whatif switch to check that the command is valid and to see what it will do.

SnapCrab_NoName_2015-2-27_10-2-34_No-00There will be a confirmation dialogue (as show above), confirm the action and wait for the process to complete(almost instant).  The confirmation is odd (shown below). It looks like an error but isn’t

SnapCrab_NoName_2015-2-26_17-11-55_No-00Successful configuration at this point can be confirmed by opening Certificate Services:

SnapCrab_NoName_2015-2-26_17-13-7_No-00

Right clicking on the root server (should have a green tick by it) and selecting Properties and then View Certificate.

SnapCrab_NoName_2015-2-26_17-13-57_No-00

If all is well you should notice that, in the details tab, the Public Key field is set at 4096 and the validity period is indeed 40 years.SnapCrab_NoName_2015-2-26_17-16-45_No-00There is a little more configuration required to set up the publication URLs, CRLs and disable Delta CRLs.  The commands below need to be entered (modify for your use

certutil.exe –setreg CA\CRLPublicationURLs “1:C:\Windows\System32\CertSrv\CertEnroll\%3%8.crl\n2:http://pki.lab.local/pki/%3%8.crl”
certutil.exe –setreg CA\CACertPublicationURLs “2:http://pki.lab.local/pki/%1_%3%4.crt”
certutil.exe –setreg CA\CRLPeriodUnits 20
certutil.exe –setreg CA\CRLPeriod “Years”
certutil.exe –setreg CA\CRLDeltaPeriodUnits 0
certutil.exe –setreg CA\CRLDeltaPeriod “Days”
certutil.exe –setreg CA\CRLOverlapPeriodUnits 4
certutil.exe –setreg CA\CRLOverlapPeriod “Weeks”
certutil.exe –setreg CA\ValidityPeriodUnits 40
certutil.exe –setreg CA\ValidityPeriod “Years”
certutil.exe –setreg CA\DSConfigDN “DC=lab,DC=local”
Restart-Service certsvc
certutil -crl

As an example you should get output similar to the screenshot below if the commands complete successfully.SnapCrab_NoName_2015-2-27_10-30-27_No-00Now, if you check: C:\Windows\System32\CertSrv\CertEnroll You should see your root certificate all present and correct.

SnapCrab_NoName_2015-2-27_10-45-36_No-00Step 3: Creating A vCAC Specific Web Enrollment Template

Now, to be able to issue the correct type of certificates for vCAC (it has very specific requirements according to the docs) we need to create an new Certificate Template.  This done by launching the Certificate Authority utility on your issuing CA (In my case this is the Enterprise Root CA installed above).

Expand the Certification Authority tree and right click on Certificate Templates.  Now select Manage from the context menu.  This will open up the Certificate Templates Console. Scroll down the list and select Web Server. Right click and select Duplicate Template.  (Shown Below).

SnapCrab_NoName_2015-2-27_11-3-38_No-00The properties window will be displayed. Leave the compatibility level at Windows Server 2003 level and then select the General tab.

SnapCrab_NoName_2015-2-27_11-7-5_No-00In the general tab change the information to that shown below.  Specifically, make sure the Publish certificate in Active Directory check box is selected and that the validity periods are right for your environment (I don’t want to bother replacing them so have set it long).

SnapCrab_NoName_2015-2-27_11-7-57_No-00Now select the Extensions tab, select Key Usage and ensure the options shown below are checked.SnapCrab_NoName_2015-2-27_11-10-3_No-00Click OK and then, still in the Extensions tab, select Application Policies and then Edit.  Click add and then select Client Authentication and then OK.

SnapCrab_NoName_2015-2-27_11-14-33_No-00Click OK and close the Certificates Template Console. The certificate is now available  in AD and available to publish.

Step 4: Publish The New Web Enrollment Template

Still logged on to your Issuing CA with an account that has Domain Admin privileges open the Certification Authority  utility and expand the tree as before.  Right click on the Certificate Templates folder and select New > Certificate Template to Issue from the menu.SnapCrab_NoName_2015-2-27_11-17-32_No-00The Enable Certificate Templates window will appear.  Scroll down and select VMware SSL Certificate as created above and click OK.

SnapCrab_NoName_2015-2-27_11-43-50_No-00

The VMware SSL Certificate should then appear in the Certificate Templates folder.

Next up is installing Open SSL.  This will be continued in Part 3

Installing vCAC 6.0.1.1 – Part 1: Windows Pre-Requisites

This series of posts will guide you through a full distributed install of VMware vCloud Automation Center (vCAC 6.0.1.1). This is something I’ve done in a live environment but I’m going to try to re-create a small setup in my lab environment to enable me to test upgrading between vCAC versions. Why? Because I’m interested.

A Note on System Requirements
I don’t have a super powerful lab. Storage is fast but not that plentiful. As this is a test install that won’t really do much some of the Components will be t minimum spec or below if I know I can get away with it. This will show mostly on the second side of the stack. This will be set up to prove clustering and load balancing but will be logically turned OFF and left undersized once running.


Part One – Windows Pre-Requisites

For ease of administration, and to replicate what I would do in a Live environment, I have created the following security groups in Active Directory using the Users and Computers utility.  These will hold relevant accounts that are needed in the install process.

SnapCrab_NoName_2015-2-26_15-52-8_No-00The following accounts were also created in Active Directory Users and Computers utility as they will be needed later.

SnapCrab_NoName_2015-2-26_15-52-26_No-00When creating these accounts you will need to specify a password.  This should, obviously, be strong but be aware that some special characters will cause issues with the vCAC install later on because of the way the installer uses SOAP to pass through certain password.  For this reason it’s a good idea to avoid ‘#‘, ‘&‘, ‘@‘ for sure (other characters may also be bad).

I’ve added my personal account and the domain admins group to the VC Admins group, the svc_vcac_admin user is a member of vCAC Administrators and svc_sql to the SQL Administrators group.

Set Up a DNS Entry for PKI

vCAC uses Certificates a LOT and we will need to set up a Public Key Infrastructure (PKI) to be able to do this in the lab. I will be installing PKI on my Lab DC so, for later use, I’m also creating a DNS A record looking like: pki.lab.local 192.168.1.151

This can be done from the DNS Manager Utility.