vCenter 5.1 with SSO: Installation

To upgrade, you can refer to the Best Practice KB here.
If you have any problem hit installing SSO, you can refer to this KB. 
If you hit an error for vCenter installation after installing SSO, vCenter Inventory Service successfully, you may want to refer to this KB.
 

If you encounter an error during vCenter Installation and its show in vm_ssoreg.log
"java.lang.IllegalArgumentException: The local OS identity source is not registered with the SSO installation"
Resolution:
You might need to quit and rejoin your domain for the vCenter server if time on both the vCenter and Domain Controller is within not more than 5 minutes difference.

For a more detailed installation including certificates installation you may refer to this other blog.

To start with, I have make this guide simply easy for someone who have not done any vCenter installation before and using MS SQL for the database.

Here is a video on the installation and below are the detailed instructions and scripts.

To start with vCenter installation, the below is a overview.

Installation Start with SSO.

1. Hostname enter IP or FQDN of the SSO Server
2. Check User Manually Created Users
3. Key in the two Users created in the SQL query for SSO
4. Carry on with the installation

Next install vCenter Inventory Service

1. Proceed with the installation and key in the SSO administrator user password
2. Install the certificate with prompted

Lastly the vCenter

1. Start the vCenter Installation
2. Proceed with the wizard and point to the created database with the DSN created
3. Remove VC_ADMIN role from vpxuser after installation

To implement the SSO function, 

1. Create a database run query \Single Sign On\DBScripts\SSOServer\schema\mssql\rsaIMSLiteSQLSetupTablespaces.sql
2. Go to the binary path \Single Sign On\DBScripts\SSOServer\schema\mssql\rsaIMSLiteMSSQLSetupUsers.sql to create the SSO database users: RSA_DBA, RSA_USER.  This is create separately as not to mixed with vCenter Database and user. 
   

Create SSO Database
================================================= 
CREATE DATABASE RSA ON PRIMARY(
    NAME='RSA_DATA',
    FILENAME='C:\CHANGE ME\RSA_DATA.mdf',
    SIZE=10MB,
    MAXSIZE=UNLIMITED,
    FILEGROWTH=10%),
FILEGROUP RSA_INDEX(
    NAME='RSA_INDEX',
    FILENAME='C:\CHANGE ME\RSA_INDEX.ndf',
    SIZE=10MB,
    MAXSIZE=UNLIMITED,
    FILEGROWTH=10%)
LOG ON(
    NAME='translog',
    FILENAME='C:\CHANGE ME\translog.ldf',
    SIZE=10MB,
    MAXSIZE=UNLIMITED,
    FILEGROWTH=10% )
GO

-- Set recommended perform settings on the database
EXEC SP_DBOPTION 'RSA', 'autoshrink', true
GO
EXEC SP_DBOPTION 'RSA', 'trunc. log on chkpt.', true
GO

CHECKPOINT
GO
=================================================


Create SSO Users
=================================================
USE MASTER
GO

CREATE LOGIN RSA_DBA WITH PASSWORD = '', DEFAULT_DATABASE = RSA
GO
CREATE LOGIN RSA_USER WITH PASSWORD = '', DEFAULT_DATABASE = RSA
GO

USE RSA
GO

ALTER AUTHORIZATION ON DATABASE::RSA TO [RSA_DBA]
GO

CREATE USER RSA_USER FOR LOGIN [RSA_USER]
GO

CHECKPOINT
GO
=================================================




Steps:

1. Prepare DB for vCenter
• Run the scripts
• Create ODBC 64bit System DSN
• Configure the MS SQL Server TCP/IP for JDBC: For IP address just check Active and TCP Dynamic Ports
• All optional steps are left out except the below for those who wants to monitor the database
• use master
  go
  grant VIEW SERVER STATE to login name go

Prepare vCenter 5.1 Database.  You can refer to the installation guide however I find it rather not clear for database noob.  However referring to the the vCenter Binary either ISO or zip file, :\vCenter-Server\dbschema\DB_and_schema_creation_scripts_MSSQL.txt which on the first half contains the script below, The Grey highlight is added by myself which by default the database is create with Full Recovery however I like to change to Simple.

For the Yellow and Orange Highlight, you can choose to use either one.  For some environment, the user cannot be granted a DBO rights in such a customize role is create in this case, VC_ADMIN, VC_USER.  Depend on your environment you choose which to run.


Create vCenter database and user
=================================================
use [master]
go

CREATE DATABASE [VCDB] ON PRIMARY
(NAME = N'vcdb', FILENAME = N'C:\VCDB.mdf' , SIZE = 2000KB , FILEGROWTH = 10% )

LOG ON
(NAME = N'vcdb_log', FILENAME = N'C:\VCDB.ldf' , SIZE = 1000KB , FILEGROWTH = 10%)

COLLATE SQL_Latin1_General_CP1_CI_AS
go

ALTER DATABASE [VCDB] SET RECOVERY SIMPLE /*or FULL*/
go

use VCDB
go

sp_addlogin @loginame=[vpxuser], @passwd=N'vpxuser', @defdb='VCDB', @deflanguage='us_english'
go

ALTER LOGIN [vpxuser] WITH CHECK_POLICY = OFF
go

CREATE USER [vpxuser] for LOGIN [vpxuser]
go

CREATE SCHEMA [VMW]
go

ALTER USER [vpxuser] WITH DEFAULT_SCHEMA =[VMW]
go

/*User should have DBO Privileges or VC_ADMIN_ROLE and VC_USER_ROLE database roles

sp_addrolemember @rolename = 'db_owner', @membername = 'vpxuser'
go

or
*/
if not exists (SELECT name FROM sysusers WHERE issqlrole=1 AND name = 'VC_ADMIN_ROLE')
CREATE ROLE VC_ADMIN_ROLE;
GRANT ALTER ON SCHEMA :: [VMW] to VC_ADMIN_ROLE;
GRANT REFERENCES ON SCHEMA :: [VMW] to VC_ADMIN_ROLE;
GRANT INSERT ON SCHEMA ::  [VMW] to VC_ADMIN_ROLE;

GRANT CREATE TABLE to VC_ADMIN_ROLE;
GRANT CREATE VIEW to VC_ADMIN_ROLE;
GRANT CREATE Procedure to VC_ADMIN_ROLE;

if not exists (SELECT name FROM sysusers WHERE issqlrole=1 AND name = 'VC_USER_ROLE')
CREATE ROLE VC_USER_ROLE
go
GRANT SELECT ON SCHEMA ::  [VMW] to VC_USER_ROLE
go
GRANT INSERT ON SCHEMA ::  [VMW] to VC_USER_ROLE
go
GRANT DELETE ON SCHEMA ::  [VMW] to VC_USER_ROLE
go
GRANT UPDATE ON SCHEMA ::  [VMW] to VC_USER_ROLE
go
GRANT EXECUTE ON SCHEMA :: [VMW] to VC_USER_ROLE
go

sp_addrolemember VC_ADMIN_ROLE , [vpxuser]
go

sp_addrolemember VC_USER_ROLE , [vpxuser]
go


use MSDB
go

CREATE USER [vpxuser] for LOGIN [vpxuser]
go

/*User should have DBO Privileges or VC_ADMIN_ROLE

sp_addrolemember @rolename = 'db_owner', @membername = 'vpxuser'
go

or
*/
if not exists (SELECT name FROM sysusers WHERE issqlrole=1 AND name = 'VC_ADMIN_ROLE')
CREATE ROLE VC_ADMIN_ROLE;

go
grant select on msdb.dbo.syscategories to VC_ADMIN_ROLE
go
grant select on msdb.dbo.sysjobsteps to VC_ADMIN_ROLE
go
GRANT SELECT ON msdb.dbo.sysjobs to VC_ADMIN_ROLE
GO
GRANT EXECUTE ON msdb.dbo.sp_add_job TO VC_ADMIN_ROLE
go
GRANT EXECUTE ON msdb.dbo.sp_delete_job TO VC_ADMIN_ROLE
go
GRANT EXECUTE ON msdb.dbo.sp_add_jobstep TO VC_ADMIN_ROLE
go
GRANT EXECUTE ON msdb.dbo.sp_update_job TO VC_ADMIN_ROLE
go
GRANT EXECUTE ON msdb.dbo.sp_add_jobserver TO VC_ADMIN_ROLE
go
GRANT EXECUTE ON msdb.dbo.sp_add_jobschedule TO VC_ADMIN_ROLE
go
GRANT EXECUTE ON msdb.dbo.sp_add_category TO VC_ADMIN_ROLE
go

sp_addrolemember VC_ADMIN_ROLE , [vpxuser]
go
=================================================


Remove VC_ADMIN_ROLE from vpxuser
=================================================
use VCDB
go
sp_droprolemember VC_ADMIN_ROLE , [vpxuser]
go
=================================================

Remove dbo role from MSDB 
================================================= 
use MSDB
go

sp_droprolemember @rolename = 'db_owner', @membername = 'vpxuser'
go
=================================================




Update 1: 25 Sept 2012
Another issues which you have during installation of vCenter.
Open C:\ProgramData\VMware\VMware VirtualCenter\SSL\rui.crt
Check whether the certificate is expired
If the certificate is expired rename the SSL folder and start with installation again
This will push new certificate and create a new SSL folder
 
Note:The hosts has to be reconnected to VC as the certificate's are renewed

Update 2: 18 March 2013
Those using the Windows vCenter and have SSO, Web Client all in the same machine as vCenter.  When performing reboot, sometimes the vCenter service may not be started.  Please take note of this as when using the Web Client, you might encounter unable to connect to one or more vCenter error message.