“nasty” SSL/SSO lab exerices – lab 2
After lab 1 was done a small coffee break directly leads into lab 2 showing the students on how to check if a specific VMware certificate template was created.
After lab 1 was done a small coffee break directly leads into lab 2 showing the students on how to check if a specific VMware certificate template was created.
This time we will be setting up the vCenter Server for one of the lab sessions later. Since we intentionally want to break something we need a very specific procedure though.
As indicated in the last post this one will deal with the actual install and setup of the lab infrastructure. We will need 4 VMs as the basic minimum configuration. So let’s start by building out the Domain Controller machine.
As promised I wanted to start a small series on the content I developed to internally train TSEs to better handle SSL and SSO cases in vCenter Server 5.5. The whole training went from a mere 1 hour presentation to a full 2 day course and could easily enough be extended by another set of lab exercises and adding different products. As there is no hands on lab for replacing SSL certificates yet
Christmas is the time for sharing and giving. As I have been rather busy in the past 2 months to share other content you can find 3 of my VMUG and customer day presentations. Especially since both themes recently came up on twitter as well.
After setting up those CAs in the last two posts it would be a shame to have them just sitting around. As I am quite often getting the question how to replace certificates in an environment that is leveraging SSO 5.5 with vCenter 5.1 still in place the CA will be the perfect opportunity to demonstrate the process.
@fbuechsel Can you write the same for W2K12R2? :))
— Patrick Terlisten (@PTerlisten) 27. Juli 2014
Sure I can, so let’s go. Same assumptions as in the last post, this is not intended to be secure or anything, it should just serve the purpose of being easy to setup and work out of the box while being able to create certificates with Derek Seaman’s SSL toolkit, which should also be the requirement for the VSS Labs vCert Manager, and create vSphere basic stack compliant certificates.
Derek Seaman has done a great job describing on how to create a template for VMware View on 2008 and how to set up an intermediate CA structure in Windows Server 2012R2.
I tried going through the latter and found the procedure pretty elaborate for my own lab purposes so I thought about setting up a CA that still will work with his SSL toolkit but would be set up in about 10 minutes.
And another twitter request that leads up to some experimenting of what you can do without relying on the installer.
Anyone renamed a vCenter 5.5 installation?
— Jason Nash (@TheJasonNash) 28. Mai 2014
Challenge accepted. The victim VC will be my own lab environment VC so this better works in the end. Additional information was provided by Jason which would make this procedure possible, the vCenter Server was a self contained instance without running any dependencies from the upper stack.
Disclaimer: This is not a tested or officially approved procedure by VMware at any means, use at your own risks, don’t come to me complaining if everything breaks, DO A BACKUP! The proper way would be a reinstall of the binary packages against existing databases.
As Michael Webster pointed out on twitter vExperts have the possibility to test out the vCert Manager from VSS Labs.
@mwVme Absolutely. It’s available to all vExperts for 2 vCenters and up to 10 hosts.
— Michael Webster (@vcdxnz001) 20. April 2014
After a little back and forth with Michael due to some email issues I finally received the download and test license last week.
This will be a short series on how to install the product, integrate it with a Windows CA, request, extend and replace certificates for hosts and vCenter Server components and finally see if it actually can solve my “nasty” lab in which I pretty much reproduced every customer issue that I ran into so far in one single VM.
Unlike mentioned on the VSS Labs website the tool can actually cope with vCenter Server and ESXi 5.5.