Dual Site HA PSC – Parte 4

di Ben Kenobi

 

Installazione nuovi certificati PSC Site 1

 

Copiare in entrambi i PSC i certificati generati della CA e del PSC

root@psc-s1-01 [ ~ ]# ls -1rt
psc-ha-vip-chain.crt
cachain.crt
psc-ha-vip.key

root@psc-s1-02 [ ~ ]# ls -1rt
psc-ha-vip-chain.crt
cachain.crt
psc-ha-vip.key

 

Lanciare il certificate manager nel primo PSC e a fine procedura lanciarlo anche sul secondo (Selezionare l’opzione 1 e poi la 2)

root@psc-s1-01 [ ~ ]# /usr/lib/vmware-vmca/bin/certificate-manager
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
| |
| *** Welcome to the vSphere 6.0 Certificate Manager *** |
| |
| — Select Operation — |
| |
| 1. Replace Machine SSL certificate with Custom Certificate |
| |
| 2. Replace VMCA Root certificate with Custom Signing |
| Certificate and replace all Certificates |
| |
| 3. Replace Machine SSL certificate with VMCA Certificate |
| |
| 4. Regenerate a new VMCA Root Certificate and |
| replace all certificates |
| |
| 5. Replace Solution user certificates with |
| Custom Certificate |
| |
| 6. Replace Solution user certificates with VMCA certificates |
| |
| 7. Revert last performed operation by re-publishing old |
| certificates |
| |
| 8. Reset all Certificates |
|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|
Note : Use Ctrl-D to exit.
Option[1 to 8]: 1

Please provide valid SSO and VC priviledged user credential to perform certificate operations.
Enter username [Administrator@vsphere.local]:
Enter password:
1. Generate Certificate Signing Request(s) and Key(s) for Machine SSL certificate

2. Import custom certificate(s) and key(s) to replace existing Machine SSL certificate

Option [1 or 2]: 2

Please provide valid custom certificate for Machine SSL.
File : /root/psc-ha-vip-chain.crt

Please provide valid custom key for Machine SSL.
File : /root/psc-ha-vip.key

Please provide the signing certificate of the Machine SSL certificate
File : /root/cachain.crt

You are going to replace Machine SSL cert using custom cert
Continue operation : Option[Y/N] ? : Y
Get site nameCompleted [Replacing Machine SSL Cert…]
site1
Lookup all services
Get service site1:31748e91-1463-43ee-a960-6954d794ee6a
Update service site1:31748e91-1463-43ee-a960-6954d794ee6a; spec: /tmp/svcspec_2WrjNm
Get service site1:a129f10d-623a-45bf-92a6-6dd22a12d435
Update service site1:a129f10d-623a-45bf-92a6-6dd22a12d435; spec: /tmp/svcspec_yuGSwB
Get service site1:49b0effc-fe2e-4d6a-8045-ba16ceca2cae
Update service site1:49b0effc-fe2e-4d6a-8045-ba16ceca2cae; spec: /tmp/svcspec_uQqoCm
Get service site1:034b6b2d-ac36-4774-93c2-44256bb8487c
Don’t update service site1:034b6b2d-ac36-4774-93c2-44256bb8487c
Get service site1:a7df3720-fb5f-462e-b902-fa148cf38ada
Don’t update service site1:a7df3720-fb5f-462e-b902-fa148cf38ada
Get service site1:1d739294-a449-4d5b-9a47-2958cf8cab07
Don’t update service site1:1d739294-a449-4d5b-9a47-2958cf8cab07
Get service 9b6403b9-0b1a-4b91-8ec5-50c5df5a6225
Update service 9b6403b9-0b1a-4b91-8ec5-50c5df5a6225; spec: /tmp/svcspec_oo1N0d
Get service 478a3a5e-6025-426c-93e3-02b24f432da7
Update service 478a3a5e-6025-426c-93e3-02b24f432da7; spec: /tmp/svcspec_tmiHl_
Get service 434a56d0-616b-4e26-82ca-b92521c48ea8
Update service 434a56d0-616b-4e26-82ca-b92521c48ea8; spec: /tmp/svcspec_RIwXjm
Get service 610e586b-cf77-4847-ba30-0d9cbb1b9a3c
Update service 610e586b-cf77-4847-ba30-0d9cbb1b9a3c; spec: /tmp/svcspec_r5leSn
Get service 5cd6052c-a27a-43d8-a3e9-93537bc61a90
Update service 5cd6052c-a27a-43d8-a3e9-93537bc61a90; spec: /tmp/svcspec_Nr6hef
Get service e74bacf8-0f90-4235-97c2-3802ea885489
Update service e74bacf8-0f90-4235-97c2-3802ea885489; spec: /tmp/svcspec_H_tT5N
Get service 068f07fa-be02-4d49-9804-7a2e17ad2ee7
Update service 068f07fa-be02-4d49-9804-7a2e17ad2ee7; spec: /tmp/svcspec_Y2rTPq
Get service ea266d1b-a818-4348-8b44-4c258951a7d2
Don’t update service ea266d1b-a818-4348-8b44-4c258951a7d2
Get service 13f1f62f-2e7a-4e6b-a0b2-be108dc43c9c
Don’t update service 13f1f62f-2e7a-4e6b-a0b2-be108dc43c9c
Get service f1f776b2-b5d6-49bf-a335-91a8c434ff57
Don’t update service f1f776b2-b5d6-49bf-a335-91a8c434ff57
Get service 41aa6b19-c1dd-4b10-8e1f-84ee361ef1c2
Don’t update service 41aa6b19-c1dd-4b10-8e1f-84ee361ef1c2
Get service e2f91d73-03ba-429e-88f6-d43814bbf324
Don’t update service e2f91d73-03ba-429e-88f6-d43814bbf324
Get service aee244b0-369f-4dd2-93f1-75b89b2ce727
Don’t update service aee244b0-369f-4dd2-93f1-75b89b2ce727
Get service 601986ff-c2c8-467c-b21c-8ca2e2e7bc9b
Don’t update service 601986ff-c2c8-467c-b21c-8ca2e2e7bc9b
Updated 10 service(s)
Status : 100% Completed [All tasks completed successfully]

 

Please restart all services in associated vCenter Server/s for changes made in Platform Service Controller machine to reflect

Perform restart operation on the vCenter Server/s by using ‘service-control –stop –all’ and ‘service-control –start –all’

 

Per verificare i certificati aprire il browser e inserire la url dei PSC

Workstation-PSC17

 

Workstation-PSC18

 

Facciamo alcune verifiche via command line sui PSC

root@psc-s1-01 [ ~ ]# /usr/lib/vmware-vmafd/bin/vecs-cli entry list –store MACHINE_SSL_CERT –text
Number of entries in store : 1
Alias : __MACHINE_CERT
Entry type : Private Key
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
80:4c:48:2e:48:bc:37:34
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=IT, ST=Italy, L=Milan, O=Nvlabs, OU=Nvlabs.local, CN=Nvlabs Selfsigned CA/emailAddress=admin@nvlabs.local
Validity
Not Before: Jul 28 12:19:41 2017 GMT
Not After : Jul 26 12:19:41 2027 GMT
Subject: C=IT, ST=Italy, L=Rome, O=Nvlabs, OU=Nvlabs.local, CN=lb-psc-s1-01.nvlabs.local
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:e8:3b:b8:cb:ed:d8:62:f0:ff:bb:08:71:dd:3c:
f6:81:d6:f2:36:0b:a8:ba:68:f8:01:31:96:b3:a5:
cd:35:d8:0c:14:98:f8:0c:be:51:d3:07:37:23:66:
24:29:dd:65:89:cb:1d:64:4b:c4:dd:2f:f1:4f:a5:
8f:3e:1e:61:da:d2:d6:cd:63:9a:fb:9a:ab:5e:f9:
c1:a4:39:58:4d:ed:47:3f:12:e0:06:82:3a:93:99:
ec:b6:3c:dc:95:d6:0d:63:b5:bb:02:b7:49:00:db:
3c:7f:b7:c8:af:e7:e9:20:f0:65:6c:db:35:fc:56:
9b:67:69:4a:76:6f:4e:e0:6c:8d:6f:2d:cf:dd:fc:
ba:08:c9:84:12:bd:fc:3b:70:85:09:70:58:7f:c5:
ae:c0:b7:ff:a6:93:42:32:42:6a:cb:fb:68:7e:84:
16:98:d4:c2:ff:3d:c1:d2:cf:50:b5:65:d7:5d:4d:
68:37:ad:cb:97:65:c4:85:d2:ea:8a:8a:62:57:0c:
e4:8a:a1:ac:df:32:85:13:53:b6:a3:7e:f5:a7:9a:
e0:44:a3:57:1a:54:7f:6c:49:2e:f9:c7:d9:18:cc:
31:d8:20:85:39:29:f8:dd:07:97:47:86:7a:69:0e:
ab:9c:43:12:f9:39:16:63:38:d9:0a:c5:36:c8:2b:
24:39
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment
X509v3 Subject Alternative Name:
DNS:psc-s1-01.nvlabs.local, DNS:psc-s1-02.nvlabs.local, DNS:lb-psc-s1-01.nvlabs.local
Signature Algorithm: sha1WithRSAEncryption
82:68:92:f7:5e:15:74:c9:ba:a6:33:f8:48:c3:4a:60:a6:15:
ab:03:44:7b:67:11:76:9b:28:eb:99:31:3c:57:61:54:93:57:
ee:25:d5:ac:de:86:34:16:47:31:dd:dc:5e:ac:91:4d:53:b6:
3f:bb:df:f9:03:44:7f:04:db:14:0e:2b:e8:8f:0b:2f:b6:23:
77:88:64:a1:aa:42:a1:4e:fc:dc:44:2f:a7:18:c7:47:60:c8:
33:2b:bb:29:cd:67:8a:40:e7:c3:fc:bb:df:73:4e:d0:79:c0:
60:7f:ac:7a:62:94:e9:23:be:c9:5a:c9:c6:47:06:44:3f:8c:
12:9f:ba:0e:3f:e7:b3:4b:dd:55:16:39:9e:0b:f4:e0:f1:ae:
f3:c0:91:3b:33:1c:6b:de:3a:f7:57:51:76:f3:e8:f3:6b:95:
33:ca:f2:ae:db:ec:b1:10:5f:53:43:85:11:91:47:0f:1f:59:
63:be:81:c8:b5:3d:bd:5f:10:95:22:38:cc:39:f6:b5:8d:94:
54:33:a9:dc:ab:9c:55:83:c0:b7:c9:ed:94:f6:48:7a:1d:28:
09:81:21:7a:0c:97:bb:d8:fa:be:56:89:0a:98:d4:65:df:a5:
e2:b6:14:24:ef:77:97:d5:a3:d3:62:ec:ef:ef:3d:3f:45:57:

 

Dopo avere effettuato le stesse operazioni sul secndo PSC effettuiamo il setup finale per abilitare l’HA lanciando 2 scripts (il primo dovrà essere lanciato su entrambi i PSC mentre il secondo solo su 1)

1° Script (updateSSOConfig.py)

root@psc-s1-01 [ ~ ]# cd /usr/lib/vmware-sso/bin
root@psc-s1-01 [ /usr/lib/vmware-sso/bin ]# python updateSSOConfig.py –lb-fqdn=lb-psc-s1-01.nvlabs.local
script version:1.0.0
executing vmafd-cli command
Modifying hostname.txt
modifying server.xml
Executing StopService –all
Executing StartService –all

root@psc-s1-02 [ ~ ]# cd /usr/lib/vmware-sso/bin
root@psc-s1-02 [ /usr/lib/vmware-sso/bin ]# python updateSSOConfig.py –lb-fqdn=lb-psc-s1-01.nvlabs.local
script version:1.0.0
executing vmafd-cli command
Modifying hostname.txt
modifying server.xml
Executing StopService –all
Executing StartService –all

 

2° Script (UpdateLsEndpoint.py)

root@psc-s1-02 [ /usr/lib/vmware-sso/bin ]# python UpdateLsEndpoint.py –lb-fqdn=lb-psc-s1-01.nvlabs.local –user=administrator@vsphere.local –password=’VMware123!’

 

 

Dual Site HA PSC – Intro
Installazione Load Balancer Site 1 e Site 2 – Parte 1a
Installazione Load Balancer Site 1 e Site 2 – Parte 1b
Installazione psc-s1-01 e psc-s1-02 – Parte 2
Creazione certificati Site 1 e Site 2 – Parte 3
Installazione nuovi certificati PSC Site 1  – Parte 4
Installazione psc-s2-01 e psc-s2-02 – Parte 5
Installazione vCenter Site 1 e 2 e bind verso vip PSC Site 1 e 2 – Parte 6
Configurazione PSC in modalità Ring topology fra i 2 site – Parte 7

Ben Kenobi

Rispondi

Inserisci i tuoi dati qui sotto o clicca su un'icona per effettuare l'accesso:

Gravatar
Logo di WordPress.com

Stai commentando usando il tuo account WordPress.com. Chiudi sessione /  Modifica )

Foto di Facebook

Stai commentando usando il tuo account Facebook. Chiudi sessione /  Modifica )

Annulla

Connessione a %s...