vSphere 6.x SSL Trust Anchors

In vSphere 6.x all services and components have Service Registration details recorded in the VMware Directory Service of the Platform Services Controller.

Each Service Registration can contain one or more Endpoint entries.

Each Endpoint may contain an SSL Trust value.

The SSL Trust value must always match the current Machine SSL certificate of the PSC or VC or Embedded node it refers to.

If you use the Certificate-Manager from 6.0 U1b or later – the tool will take care of updating these entries. If you replace the Machine SSL manually or have used the tool before 6.0 U1b then you may encounter this issue.

Continue reading “vSphere 6.x SSL Trust Anchors”

Automatically Configuring an F5 BIG-IP Load Balancer for PSC 6.0 HA

In this post I’ll explain how to deploy and configure an F5 Load Balancer for use with PSC 6.0 High Availability using a script to configure the F5. I got tired of manually configuring F5 Load Balancers for testing and lab building so I scripted the configuration and am sharing it here.

Disclaimer: The configuration of a 3rd Party Load Balancer is not supported by VMware. The 3rd party vendor should be engaged for support. The script in this post is not supported by VMware. Use at your own risk.

I used F5 BIG-IP v12 but have also tested on v11. Other versions may or may not work.

Continue reading “Automatically Configuring an F5 BIG-IP Load Balancer for PSC 6.0 HA”

vSphere 6.0 Certificate Series

Updated: 12/09/2016

In this series I’m going to outline, step by step, how to replace your vSphere 6.0 certificates using  VMCA as a Subordinate CA and also exclusively using your own CA and not leveraging VMCA.

Replacing your vSphere 6.0 Certificates using VMCA as a Subordinate CA

NEW: Replacing your vSphere 6.0 Certificates using your own CA (no VMCA)

Replacing your vSphere 6.0 Certificates using a Hybrid model (Coming Soon)

Expired vCenter Server 5.x Certificates

A common issue seen by VMware Support is when SSL certificates expire. In vCenter Server 5.1 and 5.5 recovering from expired certificates (without re-installing) requires a very specific set of instructions otherwise you may end up needing to re-install.

Continue reading “Expired vCenter Server 5.x Certificates”

Caution: Solution User Certificates in vSphere 6.0

In vSphere 6.0 you have Solution Users that internal vCenter/PSC services use to interact. These Solution Users use certificates to log into services and components instead of maintaining passwords.

You have the option to replace these certificates with your own certificates or use VMCA issued certificates.

To solve a separate problem, the ability to control the Certificate Subject information in the Solution Users was added in an update to the vSphere Certificate-Manager with 6.0 U1b that allows the user to specify the Subject information for each Solution User.

Update: vSphere 6.0 U3 has made improvements to the Certificate-Manager to prevent you from getting into this issue. You will be only asked to complete one cfg file and the tool will automatically make a value unique using the Solution User ID.

Continue reading “Caution: Solution User Certificates in vSphere 6.0”

Configuring PSC 6.0 High Availability with SSL Pass-through

Updated 29-08-2016

Configuring PSC HA to utilise SSL Pass-through basically means we don’t have any SSL Certificate on the Load Balancer VIP. To achieve this all PSC’s in the PSC HA Cluster are required to present the same certificate.

It also means that if you suspect your load balancer may be the cause of an issue, you can make vCenter bypass the load balancer directly to a PSC by creating a hosts file entry on the vCenter which maps the IP of a PSC to the Load Balanced FQDN.

Continue reading “Configuring PSC 6.0 High Availability with SSL Pass-through”