vCSA 6.5 Upgrade Fail – Migration Assistant & VUM

I, like many have recently tried to update my vCSA 6.0 to 6.5. Part of this work involves running the migration assistant on the existing Windows Server running VMware Update Manager.

I had a failure recently and there was nothing noting how to fix it. The issue was trying to run the Migration assistant, entering in the administrator@vsphere.local password and getting a big fail message.

Error message:

vumerror2


Error: A problem occurred during authentication to the legacy vCenter Server using the provided credentials. Resolution make sure the vCenter Server is up and running. Verify you have entered the correct credentials.

Now, before I started my upgrade (blogs to follow) I checked I had all my passwords and that they were correct. I went as far as logging in to everything to test this, so I know the password was correct.

VUM was working through console and services were there, so what was the issue?

Then I remembered that a while ago I applied SSL Certificates to the vCSA for some automation testing!

The fix:

1) Login to the VUM server

2) Navigate to C:\Program Files (x86)\VMware\Infrastructure\Update Manager (or install path of your environment)

3) Load the VMwareUpdateManagerUtility.exe and login with SSO Admin (it worked!)

4) Navigate to “re-register vCenter Server” and enter in the details again.
vumerror5

5) Restart the VMware Update Server Service when prompted.

6) Retry the Migration Assistant
vumerror4

7) Success!

I couldn’t find any articles detailing the fix when I encountered this issue, so hopefully this will help someone in need of a quick fix! 🙂

Enjoy!

Recent training and certification

It’s been a while since my last post but thought I would write about my most recent technology related experiences. I’ve been quite lucky in that I’ve been sent on multiple training courses with work recently which have really enabled me to learn some new skills and build on ones that I already had…

vmwarelogo


VMware vSphere 6: Design and Deploy

I had the pleasure of attending the most recent version of the advanced vSphere course in London a few weeks ago. The actual course information can be found here:

VMware vSphere: Design and Deploy Fast Track [V6]

I was very lucky to be staying in the QA Training building overlooking Tower Bridge which was an excellent place to study, if anyone is ever training in the UK I’d recommend it!

The course was lead by Gareth Baguley (no relation to Joe) who has been a VMware trainer for quite some time. It was evident by his knowledge on all things vSphere, clearly a passion of his. When a guy remotes in to their home labs to demonstrate technology and concepts then you know you are in the right room!

The technical level was just right for VCAP study. The actual content is split around 50:50 between the VCAP-DCA/DCD material. Having passed the VCAP DCA in 5.5 I was very much more interested in VMware’s design methodologies and concepts. On a personal note I wish the design was a larger part of the course but it was still invaluable to progress to the DCD (soon!).

Overall I’d highly recommend this for anyone who is either looking to progress from VCP to VCAP or for those who might be very into VMware but wants course to attend. Once you have attended this course you are able to sit all certifications. This might be good for veterans who have expired VCP’s but don’t want to sit through VCP level study. I’m definitely aiming to do the V6 DCD in the next year .

Red Hat Training

redhatlogo

Also in the past month or so I’ve been lucky enought to attend 2 weeks of Red Hat Linux 7 training:

RH124
RH134

The first course was more of an introduction into basic RHEL administration. This is a great course as an absolute back to basics style where if you have no previous knowledge you will be in good hands. I found parts of it a little slow but also at the same time it filled in quite a few gaps in my knowledge; not being from a Linux background, having only dabbled in the past.

The second course was a bit more in depth and started to go a bit more advanced into things like storage, security, networking and other concepts which are vital to any system administrator. At the end of the weeks course I had a 2.5 hr exam which reminded me very much of the VCAP-DCA I did for VMware 5.5. Fully practical exam which followed the course material very well and was true to the blueprint that Red Hat publish.

I sat the exam and there were some tricky parts that I had not quite fully prepared for. I managed to take my time and work through the problems, ultimately coming out thinking I’d done well enough for a pass. The following day I received a notification stating that I obtained a score of 283/300 which I was very happy with!

I’m going to start study for the VCAP-DCD and possibly RHCE in the future so will post my experience in order to hopefully help anyone who stumbles across my ramblings!

Dude! Where’s my vCSA SSL Cert chain?

Well, it certainly has been a while since my last post. The justification for my absence in recent months is due to the birth of my son! He is our first and so work/career life has taken a bit of back burner so I can enjoy family time being a new Dad. It’s a great experience and I’m loving it!

Right, to the issue at hand. Recently, a few of my colleagues were working on applying SSL certificates to a vCSA which drives our test environment. We were applying a trusted third party SSL certificate (from Quo Vadis) to our appliance and used the following KB:

Replacing vSphere 6.0 SSL Certificate with a custom CA Signed Cert

However, we needed to modify the .CSR but were having difficulty so this KB cleared things up for us:

Certificate Manager Utility not utilizing certool.cfg for CSR generation

Finally, we had what we needed but kept seeing roll back. This was because we had to download the certificate chain and present it to vCenter using this KB:

Replacing certificates using VMware vSphere 6.0 Certificate Manager fails at 0% with the error: Operation failed, performing automatic rollback

This appeared to work. Browsing to the web console of the vCSA showed a valid certificate from a variety of browsers on Windows machines but something wasn’t quite right our bespoke provisioning system stopped working..

Upon a little investigation when connecting via openssl to the vCSA address, we received the errors:

“Unable to get local issuer certificate”
“certificate not trusted”
“unable to verify the first certificate”

This was a problem for us as our bespoke provisioning system was not able to establish a connection to the vCSA.

The full error output is here (I appreciate it’s not code but its much easier to read on my blog):

My colleague resolved the issue by noting that the proxy configurations for service endpoints were not updated with the intermediate certificate. This can be fixed by doing the following:

1) Navigate to /etc/vmware-rhttpproxy/ssl on the vCSA.

2) Note the trustedCerts.pem file which upon initial investigation has no content! Copy and paste in the content of your Intermediate certificate (from your issuing CA) into trustedCerts.pem.

vcsaSSL3

3) Open config.xml file an an editor and find the line:

vcsaSSL1

4) Uncomment the line to ensure it is read in the config:

/etc/vmware-rhttpproxy/ssl/trustedCerts.pem

vcsaSSL2

5) Save the file and run a service restart:

Once complete, with another test to openssl the following should be observed – error free:

That is it really, nothing too special. We couldn’t find this fix in any of the VMware KB articles detailing SSL certificates. For most people, I doubt that would even notice due to browsers understanding the chain already with their built-in trusts. When you are programatically accessing the vCSA to make API calls, that is when the fun started.

100% of the credit and hardwork goes to my colleagues @claytonpeters and @dfgrain.

vROPS 6.2 for Horizon: Broker Agent

In the last post of this mini-series, I’m going to be covering the broker agent install and configuration which is required for a View environment to talk to vROPS. The agent resides on a connection server of your choosing and reports back to vROPS to get all the fancy stats that you need.

Broker Agent Config

1. The first thing you need to do is to login to the vROPS appliance to change the firewall. At first login, use root and no password. You will be prompted to change the no password to something of your choosing!

brokeragent1

2. Run the following commands once logged in:

brokeragent2

3. You will find yourself in the firewall config, at which point you need to amend the open TCP ports list to include the range as documented here.

brokeragent3

4. Save the config and restart the firewall with a

brokeragent4

5. Once complete, login to one of your connection servers. Run the broker agent installer that you’ve downloaded. Simple install, run the configuration utility when you’re done.

brokeragent5

brokeragent6

brokeragent7

6. At the config screen, enter in the IP/FQDN of your vROPS server. Enter in the pairing key as configured in my previous post. Select Pair and after a successful test, select Next.

brokeragent8

brokeragent9

7. On the next screen, enter in the details of a Horizon Administrator configured on your View Admin page. I use a service account for this, Test it and then click next.

brokeragent10

NB: During the original install (which was actually an upgrade), I had problems being unable to ever connect/test for the credential or the DB. It turns out this was due to the “locked.properties” file in the View installaton fodlers which was there from a legacy version of Horizon View and setting default protocol to HTTP. I deleted the file and everything started to work.

8. The next page, configure the username and password that is configured for the Event DB. I used the same account that is already configured in the View Admin portal. Test it and click next.

brokeragent11

9. If you wish, you can change the interval and timeouts, I left mine at default.

brokeragent12

10. Similarly, it is possible to change the logging level if you rewquire more information on the broker agent. Useful for troubleshooting agent issues.

brokeragent13

11. Make sure the service is running and then click Finish.

brokeragent14

brokeragent15

12. Login to the vROPS admin portal, navigate to “Inventory Explorer” and find “View Adapter Instance” in the list. You can see the credential you conifgured and paired with View. This should start showing objects collecting which proves that the agent on the connection server is sending stats through to vROPS. If this doesn’t change, something is wrong!

brokeragent16

The best thing is to leave vROPS alone now and give it a good amount of time before the decent statistics start to come in.
It is also worth configuring the vCenter that controls the VDI infrastructure hosts into vROPS too, so that vROPS has the complete picture of the entire platform.

This ends the vROPS for Horizon 6.2 series, I hope it’s been useful!

vROPS 6.2 for Horizon: View Adapter

In this post I’m going to be running through the additional configuration required to get the newly installed vROPS working with Horizon View, specifically the Horizon Adapter. There are a few additional specific configuration options that are required above and beyond standard vROPS which follow on from my previous two posts on this subject.

View Adapter Configuration

To get this part of the installation working, you must have downloaded the vROPS View Adapter.pak file from the VMware site.

1. From within the vROPS admin portal, select “Solutions” in the navigation pane. Click the green plus symbol to add a solution and browse to the ViewAdapter.pak file.

ViewAdapter1

2. Select upload and when complete, select Next.

ViewAdapter2

3. Accept the EULA and move on, this next step whilst the solution installs can take 15+ minutes so grab a coffee at this point!

ViewAdapter3

ViewAdapter4

4. After this was complete, I repeated the same process but installing the Management Pack for storage devices for extra VSAN visibility.

ViewAdapter5

5. Once finished. Navigate to the licensing tab on the navigation pane. Select the VMware Horizon Licensing and select edit.

ViewAdapter6

6. Under the vROPS for Horizon option, ensure the license key entered earlier is selected and hit next.

ViewAdapter7

7. Things get a bit mad here. The only understanding I have of it is to associated objects that are VDI specific to the Horizon license.

In the first Select the Object Type that matches all of the following criteria drop-down menu,select Host System, define the criteria Relationship, Descendant of, is, and type. All Hosts in the Object name text box.
In the second Select the Object Type that matches all of the following criteria drop-down menu,select Virtual Machine, define the criteria Relationship, Descendant of, is, and type. All Desktop VMs in the Object name text box.
In the third Select the Object Type that matches all of the following criteria drop-down menu,select Datastore, define the criteria Relationship, Descendant of, is, and type. All Storage in the Object name text box.

ViewAdapter8

8. Hit next and finish when done.

ViewAdapter9

9. Next up, head to the licensing tab on the navigation pane. Select the Product Licensing and select edit.

ViewAdapter10

10. Under the vRealize Operations Manager option, ensure the license keys entered earlier is selected and hit next.

ViewAdapter11

11. There is some more magic that now needs to be done, similar to step 7.

In the first Select the Object Type that matches all of the following criteria drop-down menu, select Host System, define the criteria Relationship, Descendant of, is not, and type All Hosts in the Object name text box.
In the second Select the Object Type that matches all of the following criteria drop-down menu, select Virtual Machine, define the criteria Relationship, Descendant of, is not, and type All Desktop VMs in the Object name text box.
In the third Select the Object Type that matches all of the following criteria drop-down menu, select Datastore, define the criteria Relationship, Descendant of, is not, and type All Storage in the Object name text box.

ViewAdapter12

12. When complete, hit next and finish.

ViewAdapter1

13. Head back to the solutions section and select VMware Horizon. Click the Cogs symbol to edit…

ViewAdapter1

14. Select the Horizon Adapter and then the green cross to add an instance.

ViewAdapter1

15. Enter in the name and also a key that you can use later to pair your servers with. This can be anything secure. Click OK and Save the settings of the Adapter.

ViewAdapter1