Planning and building the “nasty” SSL/SSO lab – Part 3
This time we will be setting up the vCenter Server for one of the lab sessions later. Since we intentionally want to break something we need a very specific procedure though.
To be able to install vCenter Server in the first place the host OS needs .NET Framework 3.5 installed, this can be done using the Windows operating systems “Add Feature” method.
After the prereq is fullfilled we will go for a very simple install of vCenter Server 5.0 U3, the reason being that this component did not include vCenter Single Sign-On yet which is crucial to break the lab in the way it is intended to. The installation is pretty straight forward, accepting all defaults in a “next, next, next … finish” fashion. The vSphere Client and Web Client are not needed yet, as well as Update Manager.
After the installation finished we need to verify if the vCenter Server Inventory Service and vCenter Server itself are using the same SSL certificate (they can differ in the thumbprints but need the same CN). Why is this important? It will force the installer of 5.5 to create an sso.crt for the vCenter Server solution user and therefore forcing one of the situations we actually want to remediate in a later lab exercise. Using the 5.5 upgrade is easier than actually forcefully implementing the solution user certificate in 5.5 itself (even though it can be done). As we can see both certificates indeed are sharing the same CN.
If you want an extra challenge you can replace both the Inventory Service and vCenter Server certificate for a 512 bit certificate, to create even more problems in 5.5 but that was not covered in the course, after following through everything I will do that as an extra though.
The certificates are located at the following 2 locations on the file system.
C:\Program Files\VMware\Infrastructure\Inventory Service\ssl
Since 5.0 is not being used too much anymore and most customers are actually running 5.1 or 5.5 these days a training resolving around 5.0 would be pretty boring. So our next step will be to update the lab to 5.5.
A simple install should be enough to get the lab into a state that is usable for us. Note that through this procedure actually 3 SSO servers will be installed, one on the vCenter Server VM using the simple installation method and 2 more on the respective SSO machines themselves. This is intended for later labs. Double check during the installation that no errors messages in terms of name resolution are thrown. If you opted for the 512 bit certificate you should use vCenter Server 5.5 U1 first and then update to 5.5 U2.
After doing the Simple Install you may also want to install the vSphere Client and Update Manager, while optional they both will have some use in the coming labs.
If done correctly the vCenter Server ssl folder (C:\ProgramData\VMware\VMware VirtualCenter\SSL) will contain an sso.crt file as well, which is exactly what we want.
With this we are done for the vCenter Server for now, so let’s move on to the 2 remaining servers for vCenter Server Single-Sign on preparation for an HA deployment.
Mount the installation iso to the first SSO node and choose the vCenter Single Sign-On option. You can next through a couple of times until you get the choice for 3 deployment options. On the first node we are going to choose “Standalone vCenter Single Sign-On Server”. For the site name we are choosing “HA”. The rest will be default values. Wait until the installation is finished, as the second SSO server will depend on that first node.
Mount the installation to the second SSO and choose the vCenter Single Sign-On option again. When presented with the installation options again choose “High Availability”. Provide the partner node name “sso1.training.local” when you are following along and the firstname.lastname@example.org password from the first node. If done correctly you should be able to choose “HA” from the site name drop down list.
After both SSO nodes are set up properly we are basically done with the whole lab setup. This is the basics needed for the training. If needed this can easily be extended by deploying an ESXi host and a Virtual Center Server Appliance. After explaining the main labs I will deliver some blog posts on that as well as an additional bonus that were not part of the training but might still be interesting for people trying to do a full scale SSL replacement.