Planning and building the “nasty” SSL/SSO lab – Part 1
As promised I wanted to start a small series on the content I developed to internally train TSEs to better handle SSL and SSO cases in vCenter Server 5.5. The whole training went from a mere 1 hour presentation to a full 2 day course and could easily enough be extended by another set of lab exercises and adding different products. As there is no hands on lab for replacing SSL certificates yet
This training had the purpose of teaching the core vSphere products though, mainly Windows vCenter Server and vCenter Server Single Sign-On. ESXi basically gets rather no volume at all in regards to SSL certificates, from what I gathered at several VMUGs is that only a minority seems to even care for replacing those certificates and most people are concerned about the vCenter Server side of things. The training itself did not cover the vCenter Server appliance due to rather low demand at that time (about a year ago). The environment is scalable though and different components could be added later on if needed. Simply add another VM for the needed component and work away.
Main goals for the lab/training:
- Prepare TSEs for the most common support cases
- Give TSEs the option to work through initial SSL configurations themselves and see the customer side of things
- Configure SSO in a safe a non production environment to see each step
Hardware requirements (this is for the virtual hardware in the utter base configuration, I am assuming that some kind of virtualization software will be used to create these VMs. It does not matter if it is Workstation, Fusion or ESXi):
- The ability to schedule 2 vCPUs, while 4 is definitely better for performance a dual core should suffice
- 8 GB RAM (1 for the DC, 4 for vCenter, 4 for two SSO machines, not everything will be active at the same time but around 8 should be a good bet to avoid constant swapping)
- 45 GB of HDD assuming thin provisioning and not oversizing the VMs too much, this could be further reduced due to the usage of linked clones
- No real networking is required, everything can be done on an internal only network
- Microsoft Windows Server 2008 R2 (or 2012, 2012 R2 is not supported according to the following kb: 2091273)
- vCenter Server 5.0 U3
- vCenter Server 5.5 U2
These are the absolute minimum requirements to follow the lab manual. A logical design overview for the lab can be found below.
Again this can be easily extended by introducing a real load balancer VM, instead of using the “cheap” option of Microsoft NLB or by simply deploying a vCenter Server Appliance and ESXi host as well in there. But this is the minimum core infrastructure that was needed for the training. We do need 2 SSO servers to actually go through the high availability configuration option for the SSO installation, this will be the most complicated step in the lab as it is usually not commonly seen for tech support guys from the start but rather already in a broken state.
The planned labs for the training included the following with the last lab being optional depending on time, in over 3 iterations of the course most students did not get to do it in the training time.
- Create certificate requests using the SSL automation tool
- Create certificate requests using openssl
- Sign certificate requests using a Microsoft CA
- Sign certificate requests using openssl
- Replace certificates using the SSL automation tool
- Explore command line options for and ssolscli by fixing the sso.crt issue
- Deploy an HA load balanced setup for SSO 5.5
This is it for today, we defined a purpose for the lab and did plan on a structure for it. The next post for this series will go into more detail for the actual setup of the lab itself while the following posts will each handle one of the lab exercises.