Split SSO Server in vSphere 5.5

Problem:

Our current setup involved several vCenter 5.5 Servers poining to a single SSO server. A requirement arose which required each vCenter to point to its own SSO server.

 

sso_migration1

Current SSO Server:   sso01.jordansphere.co.uk (10.0.0.1)
New SSO Server:        sso02.jordansphere.co.uk (10.0.0.2)
vCenter Server:           vCenter.jordansphere.co.uk (10.0.0.10)
vCenter Server:           vCenter2.jordansphere.co.uk (10.0.0.20)
Vcenter SQL Server:   sql01.jordansphere.co.uk (10.0.0.30)

 

The following steps show how to move the vCenter (vcenter2.jordansphere.co.uk) and relevant services to point to the new SSO server (sso02.jordansphere.co.uk). The information has been extracted into a watered down, simple guide from VMware KBs 2127992 & 2033620 . The following steps assume the defaults were chosen when installing vCenter (eg default install directory).

 

Preinstallation

  1. Take snapshot of vCenter server (vCenter2.jordansphere.co.uk )
  2. Take snapshot of SSO server (sso01.jordansphere.co.uk ) 

Extra precaution:

  1. Backup vCenter DB

 

1. Document the existing VMware vCenter Single Sign-On permissions used within your VMware vCenter Single Sign-On domain

  1. Identity Sources
  2. Password Policies
  3. Lockout Policies
  4. Token Policies
  5. Single Sign-On Users and Groups added after install

 

2. Deploy a new VMware vCenter Single Sign-On machine

Deploy new Windows Server from template. Ensure VM has FQDN and DNS resolution.

Mount installer and install SSO

When prompted, create a new VMware vCenter Single Sign-On domain. Do not join another VMware vCenter Single Sign-On domain or instance

 

3. Repoint Web Client to new SSO Server

Log on as an administrative user to the VMware vCenter Server machine.

To register the vSphere Web Client with a different vCenter Single Sign-On Lookup Service:

Open a command prompt.

Change directory to:

cd C:\Program Files\VMware\Infrastructure\vSphereWebClient\scripts

Run the client-repoint.bat command to register the vSphere Web Client with a different vCenter Single Sign-On and Lookup Service:

client-repoint.bat lookup_service_url "single_sign_on_admin_user" "single_sign_on_admin_password"

For vCenter Server 5.5:

client-repoint.bat https://sso02.jordansphere.co.uk:7444/lookupservice/sdk "[email protected]" "[email protected]"

In this example, 7444 is the default HTTPS port number for vCenter Single Sign-On. If you use a custom port, replace the port number in the example with the port number you use. The quotation marks are required to escape special characters in the Single Sign-On user name and password.

 

4. To re-register the Inventory Service with vCenter Single Sign-On

Open a command prompt on the Inventory Service host machine and change directory to:

 

cd C:\Program Files\VMware\Infrastructure\Inventory Service\scripts

Note: Ensure %TOOL_DIR% has quotation marks in  

C:\Program Files\VMware\Infrastructure\Inventory Service\regTool.cmd 

On the line beginning with SET LOG4J_CONF makes sure it reads "%TOOL_DIR%"

 

Run the is-change-sso.bat command to update the stored configuration information of the Inventory Service:

 

is-change-sso.bat ssoServerUrl "ssoAdminuser" "ssoAdminPassword"

 

In vCenter Server 5.5:

is-change-sso.bat https://sso02.jordansphere.co.uk:7444/lookupservice/sdk "[email protected]" "[email protected]"

In this example, 7444 is the default HTTPS port number for vCenter Single Sign-On. If you use a custom port, replace the port number in the example with the port number you use. The quotation marks are required to escape special characters in the Single Sign-On user name and password.

 

Restart the Inventory Service:

net stop vimQueryService
net start vimQueryService

The vCenter Inventory Service URL configuration is now updated and the Inventory Service is re-registered with vCenter Single Sign-On.

 

5. Repoint VMware vCenter Server to the new VMware vCenter Single Sign-On deployment

Open a command prompt on the vCenter Server host machine as administrator.

Change directory to:

cd C:\Program Files\VMware\Infrastructure\VirtualCenter Server\ssoregtool

Unzip the sso_svccfg.zip file the change directory

cd C:\Program Files\VMware\Infrastructure\VirtualCenter Server\ssoregtool\sso_svccfg

 

Run this command to register vCenter Server to a different Single Sign-On instance:

repoint.cmd configure-vc –lookup-server lookup_service_url –user single_sign_on_admin_user –password single_sign_on_admin_password –openssl-path "path_to_OpenSSL_bin_directory/"

 

The openssl-path path must be enclosed in quotation marks and followed by a trailing forward slash. The openssl-path parameter is required to update the trust store with the new Lookup Service and Single Sign-On certificates. If you do not provide it, the command is executed successfully, but you must manually update the certificate trust store. For more information about updating the certificate trust store for vCenter Server components, see Implementing CA signed SSL certificates with vSphere 5.1 (2034833).

In vCenter Server 5.5:

repoint.cmd configure-vc --lookup-server https://sso02.jordansphere.co.uk:7444/lookupservice/sdk --user "[email protected]" --password "[email protected]" --openssl-path "C:\Program Files\VMware\Infrastructure\Inventory Service\bin/"

In this example, 7444 is the default HTTPS port number for vCenter Single Sign-On. If you use a custom port, replace the port number in the example with the port number you use. The quotation marks are required to escape special characters in the Single Sign-On user name and password.

 

 

Restart the VMware VirtualCenter Server and the VMware VirtualCenter Management Webservices services:

  • In the Administrative Tools control panel, click Services.
  • Right-click VMware VirtualCenter Server and click Restart.
  • Right-click VMware VirtualCenter Management Webservices and click Restart.

 

Edit 20/07/18 –

If you are still getting a re-direct issue after the repointing then check this page: http://www.jordansphere.co.uk/vsphere-webclient-not-redirecting-after-sso-repoint/