由于 VMware 不会为 vCenter Server、vSphere Web Client 和 Log Browser 服务使用 VMware SSL 证书自动化工具,在继续操作之前,您需要手动为这些服务创建 rui.pfx 文件。

 

1.以管理员身份打开提升的命令提示符。
2.将目录更改为 OpenSSL 二进制文件的位置。 VMware 使用安装到 Inventory Service 安装目录的 OpenSSL 二进制文件。

cd "C:\Program Files\VMware\Infrastructure\Inventory Service\bin"

3.通过运行 OpenSSL 命令创建 PFX 文件:

openssl pkcs12 -export -in C:\Certs\<Service>\chain.pem -inkey C:\Certs\<Service>\rui.key -name "rui" -passout pass:testpassword -out C:\Certs\<Service>\rui.pfx

注意: 重复上述命令,为 vCenter Server、vSphere Web Client 和 Log Browser 服务创建 rui.pfx 文件。

4.通过运行以下两个命令设置 JAVA 和 PATH 环境变量:

SET JAVA_HOME=C:\Program Files\Common Files\VMware\VMware vCenter Server - Java Components

SET PATH=%PATH%;C:\Program Files\VMware\Infrastructure\VMware\CIS\vmware-sso;%JAVA_HOME%\bin

5.启动 vCenter SSL 自动化工具(ssl-updater.bat 文件),并运行以下任务:

a.更新 Single Sign-On SSL 证书

b.更新 Inventory Service 到 Single Sign-On 的信任
c.更新 Inventory Service SSL 证书
d.更新 vCenter Server 到 Single Sign-On 的信任

注意: 此时请勿关闭 SSL 自动化工具,您可以稍后返回到该工具。

6.将新的 vCenter Server 服务证书置于 C:\ProgramData\VMware\Virtual Center\SSL\ 中:

mkdir "C:\ProgramData\VMware\VMware VirtualCenter\SSL\old"

move "C:\ProgramData\VMware\VMware VirtualCenter\SSL\rui*"
"C:\ProgramData\VMware\VMware VirtualCenter\SSL\old"
copy C:\Certs\vCenterServer\rui.* "C:\ProgramData\VMware\VMware VirtualCenter\SSL\"

7.通过运行以下命令重复 vCenter Server 服务数据库密码:

cd "C:\Program Files\VMware\Infrastructure\VirtualCenter Server\"

vpxd.exe -p

注意: 出现提示时,输入 vCenter Server 用来与 vCenter Server 数据库通信的帐户的密码。

8.通过运行以下命令列出注册到 Single Sign-On 的服务:

ssolscli listServices https://vc55.domain.com:7444/lookupservice/sdk

Service 6

-----------
serviceId={715F8796-C93B-4F8D-ABD0-7B4EE6CDA9B3}:26
serviceName=vCenterService
type=urn:vc
endpoints={[url=https://vc51.domain.com:443/sdk,protocol=vmomi]}
version=5.1
description=vCenter Server
ownerId=vCenterServer_XXXX.XX.XX_XXXXXX@System-Domain
productId=<null>
viSite={715F8796-C93B-4F8D-ABD0-7B4EE6CDA9B3}

9.检查并记录 vCenter Server 服务的 ownerID:

vCenterServer_XXXX.XX.XX_XXXXXX

注意: 请勿包括 ownerId= or @vsphere.local。

10.通过运行以下命令从 Single Sign-On 取消注册 vCenter Server serviceID:

ssolscli unregisterService -d https://vc55.domain.com:7444/lookupservice/sdk -u administrator@vsphere.local -p VMware123$ -si "C:\ProgramData\VMware\VMware VirtualCenter\LS_ServiceID.prop"

11.通过运行以下命令从 Single Sign-On 取消注册 vCenter Server SolutionUser:

ssolscli unregisterSolution -d https://vc55.domain.com:7444/lookupservice/sdk -u administrator@vsphere.local -p VMware123$ -su vCenterServer_XXXXXXXX

12.通过运行以下命令将 vCenter Server 重新注册到 Single Sign-On:

Unzip sso_svccfg.zip located at "C:\Program Files\VMware\Infrastructure\VirtualCenter Server\ssoregtool\"

cd "C:\Program Files\VMware\Infrastructure\VirtualCenter Server\ssoregtool\sso_svccfg"

repoint.cmd configure-vc --lookup-server https://vc55.domain.com:7444/lookupservice/sdk --user administrator@vsphere.local --password VMware123$ --openssl-path "C:\Program Files\VMware\Infrastructure\Inventory Service\bin/"

注意: 该命令完成但报告 VMware VirtualCenter Server 服务可能无法重新启动。 这在预料之中。 请继续执行下一步。

13.repoint.cmd 命令会将 vpxd.cfg 文件中的 certificate 和 privatekey 字段留空。 使用正确路径重新填充 vpxd.cfg 文件。

copy "C:\ProgramData\VMware\VMware VirtualCenter\vpxd.cfg" "C:\ProgramData\VMware\VMware VirtualCenter\vpxd.cfg.backup"

notepad "C:\ProgramData\VMware\VMware VirtualCenter\vpxd.cfg"

Find the <certificate> and <privateKey> tags as below

<solutionUser>
<certificate>null</certificate>
<name>vCenterServer_XXXX.XX.XX_XXXXXX</name>
<privateKey>null</privateKey>
</solutionUser>
Replace "null" with the correct paths to the vCenter Server rui.crt and rui.key
<solutionUser>
<certificate>C:\ProgramData\VMware\VMware VirtualCenter\ssl\rui.crt</certificate>
<name>vCenterServer_XXXX.XX.XX_XXXXXX</name>
<privateKey>C:\ProgramData\VMware\VMware VirtualCenter\ssl\rui.key</privateKey>
</solutionUser>

注意: 如果上述标记不存在,请进行添加。

14.通过运行以下命令启动 VMware VirtualCenter Server 服务:

net start vpxd

15.返回 vCenter SSL 自动化工具(ssl-updater.bat 文件),并运行以下任务:

a.更新 vCenter Server 到 Inventory Service 的信任

b.更新 Inventory Service 到 vCenter Server 的信任
c.更新 vCenter Orchestrator 到 Single Sign-On 的信任
d.更新 vCenter Orchestrator 到 vCenter Server 的信任
e.更新 vCenter Orchestrator SSL 证书

注意: Orchestrator 任务可选,具体取决于是否使用该组件。

16.通过运行以下命令列出注册到 Single Sign-On 的服务:

ssolscli listServices https://vc55.domain.com:7444/lookupservice/sdk

Identify the Services for both Log Browser and vSphere Web Client

Service 5

-----------

serviceId= Default-First-Site:f0c6df23-47bb-47de-ab4f-2e3de4f65bcf
serviceName=VMware Log Browser
type=urn:logbrowser:logbrowser
endpoints={[url=https://vc55.domain.com:12443/vmwb/logbrowser,protocol=unknown],[url=https://vc55.domain.com:12443/authentication/authtoken,protocol=unknown]}version=1.0.2175565
description=Enables browsing vSphere log files within the VMware Web Client
ownerId= WebClient_XXXX.XX.XX_XXXXXX
productId=
viSite=Default-First-Site

Service 6

-----------

serviceId= Default-First-Site:37a10eec-7d36-415a-9266-507b5dee824c

serviceName=VMware vSphere Web Client
type=urn:com.vmware.vsphere.client
endpoints={[url=https://vc55.domain.com:9443/vsphere-client,protocol=vmomi]}
version=5.5
description=VMware vSphere Web Client Service
ownerId= WebClient_XXXX.XX.XX_XXXXXX
productId=
viSite=Default-First-Site

17.检查并记录 VMware vSphere Web Client 服务的 ownerID:

WebClient_XXXX.XX.XX_XXXXXX

18.通过运行以下命令为 Log Browser 和 vSphere Web Client 创建 service_id 文件:

echo Default-First-Site:f0c6df23-47bb-47de-ab4f-2e3de4f65bcf >> logbrowser_id

echo Default-First-Site:37a10eec-7d36-415a-9266-507b5dee824c >> webclient_id

19.通过运行以下命令从 Single Sign-On 取消注册 Log Browser serviceID:

ssolscli unregisterService -d https://vc55.domain.com:7444/lookupservice/sdk -u administrator@vsphere.local -p VMware123$ -si logbrowser_id

 

20.通过运行以下命令从 Single Sign-On 取消注册 vSphere Web Client serviceID:

ssolscli unregisterService -d https://vc55.domain.com:7444/lookupservice/sdk -u administrator@vsphere.local -p VMware123$ -si webclient_id

21.通过运行以下命令从 Single Sign-On 取消注册 vSphere Web Client SolutionUser:

ssolscli unregisterSolution -d https://vc55.domain.com:7444/lookupservice/sdk -u administrator@vsphere.local -p VMware123$ -su WebClient_XXXX.XX.XX_XXXXXX

注意: Web Client 和 Log Browser 服务仅有一个解决方案用户。

22.将新的 Log Browser 和 vSphere Web Client 证书复制到其各自位置:

mkdir "C:\ProgramData\VMware\vSphere Web Client\ssl\old"

move "C:\ProgramData\VMware\vSphere Web Client\ssl\rui*"
"C:\ProgramData\VMware\vSphere Web Client\ssl\old"
Copy "C:\Certs\vCenterWebClient\rui*" "C:\ProgramData\VMware\vSphere Web Client\ssl\"

mkdir "C:\Program Files\VMware\Infrastructure\vSphereWebClient\logbrowser\conf\old"

move "C:\Program Files\VMware\Infrastructure\vSphereWebClient\logbrowser\conf\rui*" "C:\Program Files\VMware\Infrastructure\vSphereWebClient\logbrowser\conf\old"

copy "C:\Certs\vCenterLogBrowser\rui*" "C:\Program Files\VMware\Infrastructure\vSphereWebClient\logbrowser\conf\"

23.将 Log Browser 和 vSphere Web Client 重新注册到 Single Sign-On:

cd C:\Program Files\VMware\Infrastructure\vSphereWebClient\scripts

client-repoint.bat https://vc55.domain.com:7444/lookupservice/sdk "administrator@vsphere.local" "VMware123$"

24.打开 Web 浏览器转到以下 URL,并验证提供的证书:

Single Sign-on https://vc55.domain.com:7444/lookupservice/sdk

Inventory Service https://vc55.domain.com:10443
vCenter Server https://vc55.domain.com:443
vRealize Orchestrator 

参考: