Installing VMware Virtual Centre 5.1 with that stupid SSO
VMware used to be very good at releasing stable mature and sensible
upgrades, though of late that seems to have gone a bit wonky. The latest
vSphere release 5/1 is a bit of a headache to install due to the inclusion of
RSAs SSO module. RSA is another part of EMC, the ultimate owner of VMware.
Now the cynical may see this as a way of getting RSA product in to companies. if it is the case then it will back fire spectacularly as RSA products have generally been a bit clunky, unintuitive to use and difficult/pernickety to install and configure. I remember needing to the time on our RSA server to not use Daylight Saving Time as the RSA product couldn't cope with it.
Unfortunately the SSO module in the current 5.1 install of Virtual Centre seems to have its own problems. Despite its best efforts it fails miserably to find AD, it suggest that maybe AD is not installed, running or some other problem with the environment, clearly indicating the short fall in performance is nothing to do with its own inadequacies. It does say you can fix this at the end of the install when everything is up and running but doesn't at any stage tell you how.
So here is how to do it.
First there are three ways to set up SSO, a single instance (Basic), High availability cluster which is a cluster, and multisite mode which has no fail over and appears to be the same as basic mode but on different sites that don’t seem to connect together so not sure why there is a different install option.
You only appear to need one SSO per physical site so you should be able to get your VCs talking to it though I haven't got this far yet. If you lose the SSO I believe that you will not be able to login to the VC but I may be wrong so one SSO per VC may be preferable. The SSO can be installed on separate server if required, though whether you choose to put the DB on a separate SQL server may be a step too far for some though regular backups of the DB are advisable even if using the SQL express option.
There's not much help as to which you should choose or the consequences of choosing one over the other, or whether the High Availability option is a must.
To be honest the easiest way is just go for Basic for each site, I can't actually see and difference between Multisite and Basic anyway and if you are in to High Availability you will probably know more than me or have access to someone who understands all this nonsense (for a small fee).
Officially these are the descriptions
Basic
Basic mode installs a standalone version of vCenter Single Sign-On. Multiple vCenter Server and Inventory Service instances can point to it. If the Single Sign-On server or the virtual machine hosting the server fails, administrators cannot access vCenter Server, but ESXi hosts continue to function normally.
Multiple Active Directory and OpenLDAP instances can be added as identity sources.
High Availability Cluster
Cluster mode installs two or more vCenter Single Sign-On instances in high availability mode. All instances use the same database and point to the same identity sources. Single Sign-On administrator users, when connected to vCenter Server through the vSphere Web Client, will see the primary Single Sign-On instance.
Multisite
Multisite mode is designed for deployments with multiple physical locations. Installing a Single Sign-On instance at each site allows fast access to local authentication-related services. Each Single Sign-On instance is connected to the local instances of the AD (LDAP) servers and has its own database with local users and groups. In each datacentre, you can install Single Sign-On in standalone or clustered mode, pointing to the identity sources in that location.
Big question is can you get the benefits of Multisite (whatever they are) if you choose High Availability? As you can see this is all as clear as mud with little help coming from VMware.
Finish the install of all the VC components including the Web Client because you will need it.
Then do the following
1. Log in to vSphere web client as admin (admin@System-Domain, this is the default admin added during install of SSO and the one with the excessively complicated password), you can log in as the local server Administrator user but you don't get the option to configure SSO.
2. Go to Administration -> SSO Users and Groups
3. Go to Groups tab and click on __Administrators__
4. Click on the little man icon to Add Principals
5. Select the local vCenter server as the identity source and search for the local Administrators group
6. Then add that user and click OK.
7. Log in as the local user.
8. You should see the vCenter listed after you log in.
To add an LDAP source do the following
Go to the vSphere Web Client -> Administration -> Sign-On and Discovery -> Configuration + Add Identity Source
Fill in the pop up screen (more info)
Name : Name of the connector, anything you like
Primary Server URL :this should be in the format ldap://Servername.Domain_name
Base DN For Users : this should be in the format OU=OU_name,DC=domain,DC=com
Base DN For Groups : this should be in the format OU=OU_name,DC=domain,DC=com
Domain name : Domain_name.comUsername : a user account that can make ldap connections to AD
You can then add domain groups and users in to the permissions by selecting the connection you named above in the Add principals dialog and then selecting the required users or groups. You should be able to log in to the Web client by ticking the user authentication box on the initial screen and when using the normal desktop client.
Once the LDAP connection is set up you can then add permissions in the normal way in the desktop client by right clicking and adding permission and then selecting the LDAP connection by name.
There is a suggestion that the DB doesn't get created properly and you should do it in advance but I have yet to see this, way to go VMware, great implementation of a feature that adds little but causes more wasted time and effort than anything you have ever done.
Would I buy an RSA product? Not a chance.
When I get around to doing an upgrade from 4.1 I shall write up my experiences as I am sure they will be eventful, if I can work out whether to use the existing SSO or do a separate install per VC, assuming I can work out how to do that of course.
Now the cynical may see this as a way of getting RSA product in to companies. if it is the case then it will back fire spectacularly as RSA products have generally been a bit clunky, unintuitive to use and difficult/pernickety to install and configure. I remember needing to the time on our RSA server to not use Daylight Saving Time as the RSA product couldn't cope with it.
Unfortunately the SSO module in the current 5.1 install of Virtual Centre seems to have its own problems. Despite its best efforts it fails miserably to find AD, it suggest that maybe AD is not installed, running or some other problem with the environment, clearly indicating the short fall in performance is nothing to do with its own inadequacies. It does say you can fix this at the end of the install when everything is up and running but doesn't at any stage tell you how.
So here is how to do it.
First there are three ways to set up SSO, a single instance (Basic), High availability cluster which is a cluster, and multisite mode which has no fail over and appears to be the same as basic mode but on different sites that don’t seem to connect together so not sure why there is a different install option.
You only appear to need one SSO per physical site so you should be able to get your VCs talking to it though I haven't got this far yet. If you lose the SSO I believe that you will not be able to login to the VC but I may be wrong so one SSO per VC may be preferable. The SSO can be installed on separate server if required, though whether you choose to put the DB on a separate SQL server may be a step too far for some though regular backups of the DB are advisable even if using the SQL express option.
There's not much help as to which you should choose or the consequences of choosing one over the other, or whether the High Availability option is a must.
To be honest the easiest way is just go for Basic for each site, I can't actually see and difference between Multisite and Basic anyway and if you are in to High Availability you will probably know more than me or have access to someone who understands all this nonsense (for a small fee).
Officially these are the descriptions
Basic
Basic mode installs a standalone version of vCenter Single Sign-On. Multiple vCenter Server and Inventory Service instances can point to it. If the Single Sign-On server or the virtual machine hosting the server fails, administrators cannot access vCenter Server, but ESXi hosts continue to function normally.
Multiple Active Directory and OpenLDAP instances can be added as identity sources.
High Availability Cluster
Cluster mode installs two or more vCenter Single Sign-On instances in high availability mode. All instances use the same database and point to the same identity sources. Single Sign-On administrator users, when connected to vCenter Server through the vSphere Web Client, will see the primary Single Sign-On instance.
Multisite
Multisite mode is designed for deployments with multiple physical locations. Installing a Single Sign-On instance at each site allows fast access to local authentication-related services. Each Single Sign-On instance is connected to the local instances of the AD (LDAP) servers and has its own database with local users and groups. In each datacentre, you can install Single Sign-On in standalone or clustered mode, pointing to the identity sources in that location.
Big question is can you get the benefits of Multisite (whatever they are) if you choose High Availability? As you can see this is all as clear as mud with little help coming from VMware.
Finish the install of all the VC components including the Web Client because you will need it.
Then do the following
1. Log in to vSphere web client as admin (admin@System-Domain, this is the default admin added during install of SSO and the one with the excessively complicated password), you can log in as the local server Administrator user but you don't get the option to configure SSO.
2. Go to Administration -> SSO Users and Groups
3. Go to Groups tab and click on __Administrators__
4. Click on the little man icon to Add Principals
5. Select the local vCenter server as the identity source and search for the local Administrators group
6. Then add that user and click OK.
7. Log in as the local user.
8. You should see the vCenter listed after you log in.
To add an LDAP source do the following
Go to the vSphere Web Client -> Administration -> Sign-On and Discovery -> Configuration + Add Identity Source
Fill in the pop up screen (more info)
Name : Name of the connector, anything you like
Primary Server URL :this should be in the format ldap://Servername.Domain_name
Base DN For Users : this should be in the format OU=OU_name,DC=domain,DC=com
Base DN For Groups : this should be in the format OU=OU_name,DC=domain,DC=com
Domain name : Domain_name.comUsername : a user account that can make ldap connections to AD
You can then add domain groups and users in to the permissions by selecting the connection you named above in the Add principals dialog and then selecting the required users or groups. You should be able to log in to the Web client by ticking the user authentication box on the initial screen and when using the normal desktop client.
Once the LDAP connection is set up you can then add permissions in the normal way in the desktop client by right clicking and adding permission and then selecting the LDAP connection by name.
There is a suggestion that the DB doesn't get created properly and you should do it in advance but I have yet to see this, way to go VMware, great implementation of a feature that adds little but causes more wasted time and effort than anything you have ever done.
Would I buy an RSA product? Not a chance.
When I get around to doing an upgrade from 4.1 I shall write up my experiences as I am sure they will be eventful, if I can work out whether to use the existing SSO or do a separate install per VC, assuming I can work out how to do that of course.
Comments
Post a Comment