Sunday, September 23, 2012

vCenter 5.1 with SSO: Installation

To upgrade, you can refer to the Best Practice KB here.
If you have any problem hit installing SSO, you can refer to this KB
If you hit an error for vCenter installation after installing SSO, vCenter Inventory Service successfully, you may want to refer to this KB.
 


If you encounter an error during vCenter Installation and its show in vm_ssoreg.log
"java.lang.IllegalArgumentException: The local OS identity source is not registered with the SSO installation"
Resolution:
You might need to quit and rejoin your domain for the vCenter server if time on both the vCenter and Domain Controller is within not more than 5 minutes difference.

For a more detailed installation including certificates installation you may refer to this other blog.

To start with, I have make this guide simply easy for someone who have not done any vCenter installation before and using MS SQL for the database.

Here is a video on the installation and below are the detailed instructions and scripts.



To start with vCenter installation, the below is a overview.

Installation Start with SSO.
  1. Hostname enter IP or FQDN of the SSO Server
  2. Check User Manually Created Users
  3. Key in the two Users created in the SQL query for SSO
  4. Carry on with the installation

Next install vCenter Inventory Service
  1. Proceed with the installation and key in the SSO administrator user password
  2. Install the certificate with prompted

Lastly the vCenter
  1. Start the vCenter Installation
  2. Proceed with the wizard and point to the created database with the DSN created
  3. Remove VC_ADMIN role from vpxuser after installation

To implement the SSO function, 
  1. Create a database run query \Single Sign On\DBScripts\SSOServer\schema\mssql\rsaIMSLiteSQLSetupTablespaces.sql
  2. Go to the binary path \Single Sign On\DBScripts\SSOServer\schema\mssql\rsaIMSLiteMSSQLSetupUsers.sql to create the SSO database users: RSA_DBA, RSA_USER.  This is create separately as not to mixed with vCenter Database and user. 

Create SSO Database
================================================= 
CREATE DATABASE RSA ON PRIMARY(
    NAME='RSA_DATA',
    FILENAME='C:\CHANGE ME\RSA_DATA.mdf',
    SIZE=10MB,
    MAXSIZE=UNLIMITED,
    FILEGROWTH=10%),
FILEGROUP RSA_INDEX(
    NAME='RSA_INDEX',
    FILENAME='C:\CHANGE ME\RSA_INDEX.ndf',
    SIZE=10MB,
    MAXSIZE=UNLIMITED,
    FILEGROWTH=10%)
LOG ON(
    NAME='translog',
    FILENAME='C:\CHANGE ME\translog.ldf',
    SIZE=10MB,
    MAXSIZE=UNLIMITED,
    FILEGROWTH=10% )
GO

-- Set recommended perform settings on the database
EXEC SP_DBOPTION 'RSA', 'autoshrink', true
GO
EXEC SP_DBOPTION 'RSA', 'trunc. log on chkpt.', true
GO

CHECKPOINT
GO

=================================================


Create SSO Users
=================================================
USE MASTER
GO

CREATE LOGIN RSA_DBA WITH PASSWORD = '', DEFAULT_DATABASE = RSA
GO
CREATE LOGIN RSA_USER WITH PASSWORD = '', DEFAULT_DATABASE = RSA
GO

USE RSA
GO

ALTER AUTHORIZATION ON DATABASE::RSA TO [RSA_DBA]
GO

CREATE USER RSA_USER FOR LOGIN [RSA_USER]
GO

CHECKPOINT
GO

=================================================




Steps:
  1. Prepare DB for vCenter
    • Run the scripts
    • Create ODBC 64bit System DSN
    • Configure the MS SQL Server TCP/IP for JDBC: For IP address just check Active and TCP Dynamic Ports
    • All optional steps are left out except the below for those who wants to monitor the database
      • use master
        go
        grant VIEW SERVER STATE to login name go

Prepare vCenter 5.1 Database.  You can refer to the installation guide however I find it rather not clear for database noob.  However referring to the the vCenter Binary either ISO or zip file, :\vCenter-Server\dbschema\DB_and_schema_creation_scripts_MSSQL.txt which on the first half contains the script below, The Grey highlight is added by myself which by default the database is create with Full Recovery however I like to change to Simple.

For the Yellow and Orange Highlight, you can choose to use either one.  For some environment, the user cannot be granted a DBO rights in such a customize role is create in this case, VC_ADMIN, VC_USER.  Depend on your environment you choose which to run.


Create vCenter database and user
=================================================
use [master]
go

CREATE DATABASE [VCDB] ON PRIMARY
(NAME = N'vcdb', FILENAME = N'C:\VCDB.mdf' , SIZE = 2000KB , FILEGROWTH = 10% )

LOG ON
(NAME = N'vcdb_log', FILENAME = N'C:\VCDB.ldf' , SIZE = 1000KB , FILEGROWTH = 10%)

COLLATE SQL_Latin1_General_CP1_CI_AS
go


ALTER DATABASE [VCDB] SET RECOVERY SIMPLE /*or FULL*/
go


use VCDB
go

sp_addlogin @loginame=[vpxuser], @passwd=N'vpxuser', @defdb='VCDB', @deflanguage='us_english'
go

ALTER LOGIN [vpxuser] WITH CHECK_POLICY = OFF
go

CREATE USER [vpxuser] for LOGIN [vpxuser]
go

CREATE SCHEMA [VMW]
go

ALTER USER [vpxuser] WITH DEFAULT_SCHEMA =[VMW]
go

/*User should have DBO Privileges or VC_ADMIN_ROLE and VC_USER_ROLE database roles

sp_addrolemember @rolename = 'db_owner', @membername = 'vpxuser'
go

or
*/

if not exists (SELECT name FROM sysusers WHERE issqlrole=1 AND name = 'VC_ADMIN_ROLE')
CREATE ROLE VC_ADMIN_ROLE;
GRANT ALTER ON SCHEMA :: [VMW] to VC_ADMIN_ROLE;
GRANT REFERENCES ON SCHEMA :: [VMW] to VC_ADMIN_ROLE;
GRANT INSERT ON SCHEMA ::  [VMW] to VC_ADMIN_ROLE;

GRANT CREATE TABLE to VC_ADMIN_ROLE;
GRANT CREATE VIEW to VC_ADMIN_ROLE;
GRANT CREATE Procedure to VC_ADMIN_ROLE;

if not exists (SELECT name FROM sysusers WHERE issqlrole=1 AND name = 'VC_USER_ROLE')
CREATE ROLE VC_USER_ROLE
go
GRANT SELECT ON SCHEMA ::  [VMW] to VC_USER_ROLE
go
GRANT INSERT ON SCHEMA ::  [VMW] to VC_USER_ROLE
go
GRANT DELETE ON SCHEMA ::  [VMW] to VC_USER_ROLE
go
GRANT UPDATE ON SCHEMA ::  [VMW] to VC_USER_ROLE
go
GRANT EXECUTE ON SCHEMA :: [VMW] to VC_USER_ROLE
go

sp_addrolemember VC_ADMIN_ROLE , [vpxuser]
go

sp_addrolemember VC_USER_ROLE , [vpxuser]
go



use MSDB
go

CREATE USER [vpxuser] for LOGIN [vpxuser]
go

/*User should have DBO Privileges or VC_ADMIN_ROLE

sp_addrolemember @rolename = 'db_owner', @membername = 'vpxuser'
go

or
*/

if not exists (SELECT name FROM sysusers WHERE issqlrole=1 AND name = 'VC_ADMIN_ROLE')
CREATE ROLE VC_ADMIN_ROLE;

go
grant select on msdb.dbo.syscategories to VC_ADMIN_ROLE
go
grant select on msdb.dbo.sysjobsteps to VC_ADMIN_ROLE
go
GRANT SELECT ON msdb.dbo.sysjobs to VC_ADMIN_ROLE
GO
GRANT EXECUTE ON msdb.dbo.sp_add_job TO VC_ADMIN_ROLE
go
GRANT EXECUTE ON msdb.dbo.sp_delete_job TO VC_ADMIN_ROLE
go
GRANT EXECUTE ON msdb.dbo.sp_add_jobstep TO VC_ADMIN_ROLE
go
GRANT EXECUTE ON msdb.dbo.sp_update_job TO VC_ADMIN_ROLE
go
GRANT EXECUTE ON msdb.dbo.sp_add_jobserver TO VC_ADMIN_ROLE
go
GRANT EXECUTE ON msdb.dbo.sp_add_jobschedule TO VC_ADMIN_ROLE
go
GRANT EXECUTE ON msdb.dbo.sp_add_category TO VC_ADMIN_ROLE
go

sp_addrolemember VC_ADMIN_ROLE , [vpxuser]
go

=================================================


Remove VC_ADMIN_ROLE from vpxuser
=================================================
use VCDB
go

sp_droprolemember VC_ADMIN_ROLE , [vpxuser]
go

=================================================

Remove dbo role from MSDB 
================================================= 
use MSDB
go

sp_droprolemember @rolename = 'db_owner', @membername = 'vpxuser'
go

=================================================




Update 1: 25 Sept 2012
Another issues which you have during installation of vCenter.
Open C:\ProgramData\VMware\VMware VirtualCenter\SSL\rui.crt
Check whether the certificate is expired
If the certificate is expired rename the SSL folder and start with installation again
This will push new certificate and create a new SSL folder
 

Note:The hosts has to be reconnected to VC as the certificate's are renewed

Update 2: 18 March 2013
Those using the Windows vCenter and have SSO, Web Client all in the same machine as vCenter.  When performing reboot, sometimes the vCenter service may not be started.  Please take note of this as when using the Web Client, you might encounter unable to connect to one or more vCenter error message.  

8 comments:

Anonymous said...

Great Post. For some reason, I ran into issue with the SQL DB permission as below during installation. Fix was to grant the vpxuser account the db_owner role for the MSDB system database. Very misleading error..

The DB user entered does not have the required permissions needed to install and configure vCenter Server with the selected DB. Please correct the following error(s): The database user ‘vpxuser’ does not have the following privileges on the ‘vcdb′ database:
EXECUTE sp_add_category
EXECUTE sp_add_job
EXECUTE sp_add_jobschedule
EXECUTE sp_add_jobserver
EXECUTE sp_add_jobstep
EXECUTE sp_delete_job
EXECUTE sp_update_job
SELECT syscategories
SELECT sysjobs
SELECT sysjobsteps

Zubrania said...

Hi I have a problem during installation of vCenter Server

from vminst.log


VMware VirtualCenter-build-880146: 12/20/12 16:47:58 SSO registration tool failed with return code 9
VMware VirtualCenter-build-880146: 12/20/12 16:47:58 Please see vm_ssoreg.log in system temporary folder

From vm_ssoreg

[2012-12-20 09:17:58,827 main DEBUG com.vmware.vim.install.cli.commands.CheckPrincipalExistsCommand] Checking whether group with id "{Name: test_group, Domain: domain.com}" exists
[2012-12-20 09:17:58,858 main ERROR com.vmware.vim.install.cli.commands.CheckPrincipalExistsCommand] No user or group found with id {Name: test_group, Domain: domain.com}
[2012-12-20 09:17:58,858 main INFO com.vmware.vim.install.cli.RegTool] Return code is: InvalidUser
R

I have posted my question here
http://communities.vmware.com/message/2167570#2167570

But haven't fixed the problem yet

Thank you in advance

KiOng said...

Zubrania,
It seems to be an account or group problem. You might want to use domain\group_Name.

KiOng said...

vpxuser, do need to have the rights. typically if you use the script it should be done. After which I did a removal of the vpxuser rights.

w1ll1ng said...

Works perfectly. Nice post

dcprom0 said...

Worked perfectly, thanks.

Anonymous said...

Assigning db_owner permissions to the user I am sql user on the msdb system database resolved my issue as well. Try this before doing too much change/config on sql as some other articles sugest.

Anonymous said...

Woww that was strangе. I just ωгote an extremеly long cοmment but after І сlіcked submit mу cpmment dіdn't appeaг.
Grrгr... well Ι'm not writing all tht over again.

Αnyways, just wanted to say grеat blog!


Loоk into my ωeb-site; Łuszczyca leczenie