07: Install VCSA

Create DNS Records for the ESXi Hosts and VCSA

foreach ($h in 1..4) { Add-DnsServerResourceRecordA -Name "ESXi0$h" -ZoneName "mylab.local" -IPv4Address "10.0.1.$h" -CreatePtr -ComputerName dc01 }
Add-DnsServerResourceRecordA -Name "VCSA01" -ZoneName "mylab.local" -IPv4Address "10.0.1.7" -CreatePtr -ComputerName dc01

Mount VMware-VCSA-all-6.0.0-2800571.iso on the admin workstation.

Create an admin template based upon the embedded template but add in the network parameters (see http://www.vmware.com/files/pdf/products/vsphere/VMware-vsphere-60-vcenter-server-appliance-cmdline-install.pdf)

{
    "__comments":
    [
        "My Lab VCSA Template"
    ],

    "deployment":
    {
        "esx.hostname":"esxi02",
        "esx.datastore":"VMFS01",
        "esx.username":"root",
        "esx.password":"<esx password>",
        "deployment.option":"tiny",
        "deployment.network":"VM Network",
        "appliance.name":"VCSA01 "appliance.thin.disk.mode":true},

    "vcsa":
    {

        "system":
        {
            "root.password":"<vcsa password root>",
            "ssh.enable":true
        },

        "sso":
        {
            "password":"<sso password>",
            "domain-name":"vsphere.local",
            "site-name":"Default-First-Site"
        },

        "networking":
        {
            "ip.family":"ipv4",
            "mode":"static",
            "ip":"10.0.1.7",
            "prefix":"16",
            "gateway":"10.0.0.1",
            "dns.servers":"10.0.1.5",
            "system.name":"vcsa01.mylab.local}
    }
}

Deploy the VCSA as follows

PS E:\vcsa-cli-installer\win32> .\vcsa-deploy.exe C:\Users\Administrator\Desktop\embedded.example.json

Start vCSA command line installer to deploy vCSA "VCSA01", an embedded node.

Please see c:\users\admini~1\appdata\local\temp\vcsa-cli-installer-lins1d.log for logging information.

Run installer with "-v" or "--verbose" to log detailed information.

The SSO password meets the installation requirements.
Opening vCSA image: E:\vcsa\vmware-vcsa

Accept SSL fingerprint (00:11:9F:C9:F9:80:E0:45:D0:CF:8E:D6:B4:FF:3B:F8:47:CA:A0:64) for host 10.0.1.2 as target type.

Fingerprint will be added to the known host file

Write 'yes' or 'no'
yes

Opening VI target: vi://root@10.0.1.2:443/

Deploying to VI: vi://root@10.0.1.2:443/


Progress: 99%
Transfer Completed

Powering on VM: VCSA01


Progress: 48%
Power On Completed

Installing services...
Progress: 5%. Setting up storage
Progress: 55%. Installed VMware-unixODBC-2.3.1.vmw.2-6.0.0.x86_64.rpm
Progress: 56%. Installed oracle-instantclient11.2-odbc-11.2.0.2.0.x86_64.rpm
Progress: 62%. Installed vmware-identity-sts-6.0.0.5762-2776517.noarch.rpm
Progress: 66%. Installed VMware-syslog-1.0.0-2776509.x86_64.rpm
Progress: 75%. Installed VMware-Postgres-plpython-9.3.5.2-2444648.x86_64.rpm
Progress: 78%. Installed VMware-mbcs-6.0.0-2776509.x86_64.rpm
Progress: 79%. Installed VMware-vpxd-6.0.0-2776510.x86_64.rpm
Progress: 82%. Installed VMware-vpxd-vctop-6.0.0-2776510.x86_64.rpm
Progress: 83%. Installed VMware-cloudvm-vimtop-6.0.0-2776510.x86_64.rpm
Progress: 86%. Installed VMware-sps-6.0.0-2776510.x86_64.rpm
Progress: 88%. Installed vmware-vsm-6.0.0-2776510.x86_64.rpm
Progress: 89%. Installed vsphere-client-6.0.0-2793775.noarch.rpm
Service installations succeeded.

Configuring services for first time use...
Progress: 0%
Progress: 3%. Starting VMware Authentication Framework...
Progress: 11%. Starting VMware Identity Management Service...
Progress: 18%. Starting VMware Component Manager...
Progress: 22%. Starting VMware License Service...
Progress: 25%. Starting VMware Service Control Agent...
Progress: 29%. Starting VMware vAPI Endpoint...
Progress: 33%. Starting VMware System and Hardware Health Manager...
Progress: 37%. Starting VMware Appliance Management Service...
Progress: 44%. Starting VMware Common Logging Service...
Progress: 51%. Starting dbconfig...
Progress: 55%. Starting VMware Inventory Service...
Progress: 59%. Starting VMware Message Bus Configuration Service...
Progress: 64%. Starting VMware vSphere Web Client...
Progress: 65%. Starting VMware vSphere Web Client...
Progress: 66%. Starting VMware vSphere Web Client...
Progress: 70%. Starting VMware ESX Agent Manager...
Progress: 74%. Starting VMware vSphere Auto Deploy Waiter...
Progress: 77%. Starting VMware vSphere Profile-Driven Storage Service...
Progress: 81%. Starting VMware Content Library Service...
Progress: 85%. Starting VMware vCenter Workflow Manager...
Progress: 88%. Starting VMware vService Manager...
Progress: 92%. Starting VMware Performance Charts...
Progress: 100%. Starting vsphere-client-postinstall...
First time configuration succeeded.


vCSA installer finished deploying "VCSA01", an embedded node:
    System Name: vcsa01.mylab.local
    Login as: Administrator@vsphere.local

 

 

Open a PuTTY session to the VCSA host and login

login as: root

VMware vCenter Server Appliance 6.0.0

Type: vCenter Server with an embedded Platform Services Controller

root@vcsa01's password:
Last login: Fri Aug 14 13:14:50 2015 from 10.0.254.0
Connected to service

    * List APIs: "help api list"
    * List Plugins: "help pi list"
    * Enable BASH access: "shell.set --enabled True"
    * Launch BASH: "shell"

Command> shell.set --enabled True
Command> shell
    ---------- !!!! WARNING WARNING WARNING !!!! ----------

Your use of "pi shell" has been logged!

The "pi shell" is intended for advanced troubleshooting operations and while
supported in this release, is a deprecated interface, and may be removed in a
future version of the product.  For alternative commands, exit the "pi shell"
and run the "help" command.

The "pi shell" command launches a root bash shell.  Commands within the shell
are not audited, and improper use of this command can severely harm the
system.

Help us improve the product!  If your scenario requires "pi shell," please
submit a Service Request, or post your scenario to the
communities.vmware.com/community/vmtn/server/vcenter/cloudvm forum.

vcsa01:~ # mkdir /tmp/ssl
vcsa01:~ # /usr/lib/vmware-vmca/bin/certificate-manager
                 _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
                |                                                                     |
                |      *** Welcome to the vSphere 6.0 Certificate Manager  ***        |
                |                                                                     |
                |                   -- Select Operation --                            |
                |                                                                     |
                |      1. Replace Machine SSL certificate with Custom Certificate     |
                |                                                                     |
                |      2. Replace VMCA Root certificate with Custom Signing           |
                |         Certificate and replace all Certificates                    |
                |                                                                     |
                |      3. Replace Machine SSL certificate with VMCA Certificate       |
                |                                                                     |
                |      4. Regenerate a new VMCA Root Certificate and                  |
                |         replace all certificates                                    |
                |                                                                     |
                |      5. Replace Solution user certificates with                     |
                |         Custom Certificate                                          |
                |                                                                     |
                |      6. Replace Solution user certificates with VMCA certificates   |
                |                                                                     |
                |      7. Revert last performed operation by re-publishing old        |
                |         certificates                                                |
                |                                                                     |
                |      8. Reset all Certificates                                      |
                |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|
Note : Use Ctrl-D to exit.
Option[1 to 8]: 2

Please provide valid SSO password to perform certificate operations.
Password:
         1. Generate Certificate Signing Request(s) and Key(s) for VMCA Root Signing certificate

         2. Import custom certificate(s) and key(s) to replace existing VMCA Root Signing certificate

Option [1 or 2]: 1

Please provide a directory location to write the CSR(s) and PrivateKey(s) to:
Output directory path: /tmp/ssl
2015-08-14T13:17:19.294Z   Running command: ['/usr/lib/vmware-vmca/bin/certool', '--genkey', '--privkey', '/tmp/ssl/root_signing_cert.key', '--pubkey', '/tmp/pubkey.pub']
2015-08-14T13:17:19.568Z   Done running command
2015-08-14T13:17:19.569Z   Running command: ['/usr/lib/vmware-vmca/bin/certool', '--gencsrfromcert', '--privkey', '/tmp/ssl/root_signing_cert.key', '--cert', '/var/lib/vmware/vmca/root.cer', '--csrfile', '/tmp/ssl/root_signing_cert.csr']
2015-08-14T13:17:19.626Z   Done running command

CSR generated at: /tmp/ssl/root_signing_cert.csr
         1. Continue to importing Custom certificate(s) and key(s) for VMCA Root Signing certificate

         2. Exit certificate-manager

Option [1 or 2]: 2
vcsa01:~ # ls -l /tmp/ssl/
total 8
-rw------- 1 root root 1070 Aug 14 13:17 root_signing_cert.csr
-rw------- 1 root root 1703 Aug 14 13:17 root_signing_cert.key
vcsa01:~ # cat /tmp/ssl/root_signing_cert.csr
-----BEGIN CERTIFICATE REQUEST-----
MIIC3jCCAcYCAQAwZzELMAkGA1UEAwwCQ0ExFzAVBgoJkiaJk/IsZAEZFgd2c3Bo
ZXJlMRUwEwYKCZImiZPyLGQBGRYFbG9jYWwxCzAJBgNVBAYTAlVTMRswGQYDVQQK
DBJ2Y3NhMDEubXlsYWIubG9jYWwwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQDYBGaou5zIEjr7pQrxuQgMOYm6GmnbiZptWOmKye/3JOPQkV1ELDmCrY3g
v6mrLc+3huy5WcMdva4MZ7KGJhtCkQgGWARXk7izaEYS2/xV8iw7eK7RaQ4e/JRx
XdqZmAFZr6uabC6rANwV4vb4ms1r7kSmUZrpzOOiIBpdhmA48faMWDWH5HdZoPND
78daKyjIL16W+2hL3UXAx0ZqUqzKKHPIoaYPy6lI4rR28U6F6CsN88g8IEnUARAH
ZLH6edckCj1Wit9bVKR4xnSxc7AQM4sLAxN1I2w9mCH0emhMdaxjzkkfCD1t7r2Y
DDVC9gy+7QRoQd6p7x4CfQ2hcZAZAgMBAAGgMjAwBgkqhkiG9w0BCQ4xIzAhMA4G
A1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IB
AQDRzcoE/FYNSKKE9CMVkdfVvo4LQSstNyeMVM7S0Dz9CAwjtC6buolcdTe/CqSF
ZBJvEu83fYct0yB3bqjr+tLnX/w/BidIpxOdwg1S6tufEYzQ0BDavWBZ2S4iybQb
m7y+IBfwANbmW0hpQ4WxO6P6TdYMUgxw91cajBvMvGhAwzXqTMnyhvU5qgYb73D1
6NrKkJ0WAuMREI70i0Hxtwgge2sekC0q7bCBbDKX93rpeJf6ficijKFaJuKF8oyJ
totDr3hglyiq5SbC0T47ywy35QTAZMJy44vdujr8ei43+dA9OK42PNk0rlh2BXnA
dV2UytOfrPS9HYtaytfRSR7r
-----END CERTIFICATE REQUEST-----

Copy the text for the certificate above into a text file and save it on your desktop as vcsa.req

Submit the request the the Domain CA as follows

certreq -attrib "CertificateTemplate:vSphere6.0VMCA" -submit vcsa.req

Export the mylab-DC01-CA in Base-64 encoded X.509 (.CER) format into a file called ca.cer and save it on the Desktop as well

In the VCSA session run this command

vcsa01:~ # cat > /tmp/ssl/root_signing_chain.cer

Open both certificate files in Notepad and paste them in order to the host – first the VCSA.CER and then CA.CER

The session should now look like this

vcsa01:~ # cat > /tmp/ssl/root_signing_chain.cer
-----BEGIN CERTIFICATE-----
MIIFbjCCBFagAwIBAgITOQAAAAtvxrgdO8cewwAAAAAACzANBgkqhkiG9w0BAQUF
ADBGMRUwEwYKCZImiZPyLGQBGRYFbG9jYWwxFTATBgoJkiaJk/IsZAEZFgVteWxh
YjEWMBQGA1UEAxMNbXlsYWItREMwMS1DQTAeFw0xNTA4MTQxMzI3MjVaFw0xNzA4
MTQxMzM3MjVaMGcxCzAJBgNVBAYTAlVTMRcwFQYKCZImiZPyLGQBGRYHdnNwaGVy
ZTEVMBMGCgmSJomT8ixkARkWBWxvY2FsMRswGQYDVQQKExJ2Y3NhMDEubXlsYWIu
bG9jYWwxCzAJBgNVBAMTAkNBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
AQEA2ARmqLucyBI6+6UK8bkIDDmJuhpp24mabVjpisnv9yTj0JFdRCw5gq2N4L+p
qy3Pt4bsuVnDHb2uDGeyhiYbQpEIBlgEV5O4s2hGEtv8VfIsO3iu0WkOHvyUcV3a
mZgBWa+rmmwuqwDcFeL2+JrNa+5EplGa6czjoiAaXYZgOPH2jFg1h+R3WaDzQ+/H
WisoyC9elvtoS91FwMdGalKsyihzyKGmD8upSOK0dvFOhegrDfPIPCBJ1AEQB2Sx
+nnXJAo9VorfW1SkeMZ0sXOwEDOLCwMTdSNsPZgh9HpoTHWsY85JHwg9be69mAw1
QvYMvu0EaEHeqe8eAn0NoXGQGQIDAQABo4ICMjCCAi4wDgYDVR0PAQH/BAQDAgGG
MA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFIoFmNuoZ1JCyzMEfGX7XtI/jzrw
MB8GA1UdIwQYMBaAFA6PC4xrerV/FjX3j86kMjWqZKVuMIHIBgNVHR8EgcAwgb0w
gbqggbeggbSGgbFsZGFwOi8vL0NOPW15bGFiLURDMDEtQ0EsQ049REMwMSxDTj1D
RFAsQ049UHVibGljJTIwS2V5JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049Q29u
ZmlndXJhdGlvbixEQz1teWxhYixEQz1sb2NhbD9jZXJ0aWZpY2F0ZVJldm9jYXRp
b25MaXN0P2Jhc2U/b2JqZWN0Q2xhc3M9Y1JMRGlzdHJpYnV0aW9uUG9pbnQwgb8G
CCsGAQUFBwEBBIGyMIGvMIGsBggrBgEFBQcwAoaBn2xkYXA6Ly8vQ049bXlsYWIt
REMwMS1DQSxDTj1BSUEsQ049UHVibGljJTIwS2V5JTIwU2VydmljZXMsQ049U2Vy
dmljZXMsQ049Q29uZmlndXJhdGlvbixEQz1teWxhYixEQz1sb2NhbD9jQUNlcnRp
ZmljYXRlP2Jhc2U/b2JqZWN0Q2xhc3M9Y2VydGlmaWNhdGlvbkF1dGhvcml0eTA+
BgkrBgEEAYI3FQcEMTAvBicrBgEEAYI3FQiH47NahIPvMoexgS2Hm5NZh+aGAIFf
goXSc4ad3BcCAWQCAQMwDQYJKoZIhvcNAQEFBQADggEBAHDcjGrr3lCA/H+3yBCs
a3yOlpU8qP7whxSb2xbOksBuEtKeiM9n8PxLyBP0lzzvJXm++pVscEIWnuCv5LZW
VEVlKx8AbuRbpRxfph1287uwqGkNqNVSIbyf7T7Ru9i8o3l1inxCO9iwoHt8FlYf
hsXD7X/fdsPH5RaHheS7sKz46MnMo2oDTkjF+ppp74NH16y4JnEAbGX7jUreu2K7
9tjG4AGdF0PVEsl3Q7ADipetvNBXKbXQV6sU01sBo8BSaLzoB6hdAJF9eNeDcWgC
dbFpBbxpdb7eR1B3/3PBAkVdNHj1pYjmxBVYEOFWwWUO+JTyEsdPzgxhW1LRWfW8
2ew=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDZzCCAk+gAwIBAgIQIbGud4t+aIVAV5RMagVAJjANBgkqhkiG9w0BAQUFADBG
MRUwEwYKCZImiZPyLGQBGRYFbG9jYWwxFTATBgoJkiaJk/IsZAEZFgVteWxhYjEW
MBQGA1UEAxMNbXlsYWItREMwMS1DQTAeFw0xNTA4MTMwOTU3MjRaFw0yMDA4MTMx
MDA3MjNaMEYxFTATBgoJkiaJk/IsZAEZFgVsb2NhbDEVMBMGCgmSJomT8ixkARkW
BW15bGFiMRYwFAYDVQQDEw1teWxhYi1EQzAxLUNBMIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEAyHMk15MqTNHXhmBAyaD+eqcc7KGbN7GazU//HLqlvUvh
wQjygY7/hUqOlEBSwfETwpN1d2YT/CoawO2Z9ETZ6/dGSVPXZgbJu7mPPf2/cWnF
e3uAF64nH6XM9+CO4O1pJjF2VU4uqmxyTJp3vh73ImSitd+dD1LIKp4EQqIzS+gL
UvGSCsCW5jMQ6g70aRYj20kicGPF+oRiAJUh+5lmy3UW0r0pfmbVAUYV0ALE3pP/
6h76VpmUSWwV0LRMJS3HSjB1dnfq0n4GSMU/5LHhAkYxl7j2E6kt8VlRZ0mm3jH4
SJP+Bn4pc8y6c+2b6gh/FVHsPM1qDC56YvFDog4C6QIDAQABo1EwTzALBgNVHQ8E
BAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUDo8LjGt6tX8WNfePzqQy
NapkpW4wEAYJKwYBBAGCNxUBBAMCAQAwDQYJKoZIhvcNAQEFBQADggEBAHsm6HAP
KJxNKAtwmhqYAvinHQKt8QRM/SBbV/4bmvrvqeNsIQgGKz56KbqS8txkoSavL7Ad
1/fDMlZp4R9GxMJ9qzMSJaAXU3awFrGuh2vUIjT0jLIU2PUBa3GR4U64thbGxvuo
Z2veQvhl0JnLCOb2P/i4E+CpAthvw5YwheMvzCjaBrPMwUUFGFyE5xVG2KslJP05
3IVUqqNKgD8w7pGXeSIST+ALX7DWzsKmRSSTg57LY/sd2a/UYLEvshl7wYo1OZvH
wg3N6ps6KeH+Ku2Zrlhr9u8rL6rrWgsAwz3gXbh68ByxZC43pimvQUquFDsRiNCV
IPFz1m2SFstDpdk=
-----END CERTIFICATE-----

Open Certificate Manager again

vcsa01:~ # /usr/lib/vmware-vmca/bin/certificate-manager
                 _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
                |                                                                     |
                |      *** Welcome to the vSphere 6.0 Certificate Manager  ***        |
                |                                                                     |
                |                   -- Select Operation --                            |
                |                                                                     |
                |      1. Replace Machine SSL certificate with Custom Certificate     |
                |                                                                     |
                |      2. Replace VMCA Root certificate with Custom Signing           |
                |         Certificate and replace all Certificates                    |
                |                                                                     |
                |      3. Replace Machine SSL certificate with VMCA Certificate       |
                |                                                                     |
                |      4. Regenerate a new VMCA Root Certificate and                  |
                |         replace all certificates                                    |
                |                                                                     |
                |      5. Replace Solution user certificates with                     |
                |         Custom Certificate                                          |
                |                                                                     |
                |      6. Replace Solution user certificates with VMCA certificates   |
                |                                                                     |
                |      7. Revert last performed operation by re-publishing old        |
                |         certificates                                                |
                |                                                                     |
                |      8. Reset all Certificates                                      |
                |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|
Note : Use Ctrl-D to exit.
Option[1 to 8]: 2

Please provide valid SSO password to perform certificate operations.
Password:
         1. Generate Certificate Signing Request(s) and Key(s) for VMCA Root Signing certificate

         2. Import custom certificate(s) and key(s) to replace existing VMCA Root Signing certificate

Option [1 or 2]: 2

Please provide valid custom certificate for Root.
File : /tmp/ssl/root_signing_chain.cer

Please provide valid custom key for Root.
File : /tmp/ssl/root_signing_cert.key

You are going to replace Root Certificate with custom certificate and regenerate all other certificates
Continue operation : Option[Y/N] ? : y
Status : 35% Completed [Replaced Root Cert...]
Please configure certool.cfg file with proper values before proceeding to next step.

Press Enter key to skip optional parameters or use Default value.

Enter proper value for 'Country' [Default value : US] : GB

Enter proper value for 'Name' [Default value : Acme] : My Lab

Enter proper value for 'Organization' [Default value : AcmeOrg] : My Lab

Enter proper value for 'OrgUnit' [Default value : AcmeOrg Engineering] : My Lab

Enter proper value for 'State' [Default value : California] : Kent

Enter proper value for 'Locality' [Default value : Palo Alto] : South East

Enter proper value for 'IPAddress' [optional] :

Enter proper value for 'Email' [Default value : email@acme.com] : mark.elvers@mylab.local

Enter proper value for 'Hostname' [Enter valid Fully Qualified Domain Name(FQDN), For Example : example.domain.com] : vcsa01.mylab.local
Status : 100% Completed [All tasks completed successfully]

Open https://vcsa01.mylab.local in Internet Explorer.  To make it work in Firefox go to Options, Advanced, Certificates, View Certificates, then import CA.CER

image

Before closing the SSH connection to VCSA add it to the Windows AD domain with

/opt/likewise/bin/domainjoin-cli join 'mylab.local' 'administrator' '***'

Open a new PowerCLI session and connect to VCSA only

Connect-VIServer -Server vcsa01.mylab.local -User "administrator@vsphere.local" -Password "***"

Create a new data centre

New-Datacenter -Name "Site1" -Location "DataCenters"

Create two clusters – one for servers and one for VDI

New-Cluster -Location "Site1" -Name "Servers" -DrsEnabled -DrsAutomationLevel FullyAutomated -HAEnabled -HAFailoverLevel 1
New-Cluster -Location "Site1" -Name "VDI" -DrsEnabled -DrsAutomationLevel FullyAutomated -HAEnabled -HAFailoverLevel 1

Unfortunately the VCSA requires that the certificate have a valid date of at least 24 hours prior otherwise the add hosts command fails with “A general system error occurred: Unable to get signed certificate for host: esxi01.mylab.local. Error: Start Time Error (70034).”

Wait 24 hours then…

Add-VMHost esxi01.mylab.local -Location Servers -User root -Password ***
Add-VMHost esxi02.mylab.local -Location Servers -User root -Password ***
Add-VMHost esxi03.mylab.local -Location VDI -User root -Password ***
Add-VMHost esxi04.mylab.local -Location VDI -User root -Password ***

Now rather the using PowerCLI to connect to each VM host we will connect to VCSA instead

Connect-VIServer vcsa01.mylab.local