从 VMware vCenter Server 5.5 中过期的 SSL 证书进行恢复
2017-01-01 17:13
393 查看
由于 VMware 不会为 vCenter Server、vSphere Web Client 和 Log Browser 服务使用 VMware SSL 证书自动化工具,在继续操作之前,您需要手动为这些服务创建 rui.pfx 文件。
1.以管理员身份打开提升的命令提示符。
2.将目录更改为 OpenSSL 二进制文件的位置。 VMware 使用安装到 Inventory Service 安装目录的 OpenSSL 二进制文件。
cd "C:\Program Files\VMware\Infrastructure\Inventory Service\bin"
3.通过运行 OpenSSL 命令创建 PFX 文件:
openssl pkcs12 -export -in C:\Certs\<Service>\chain.pem -inkey C:\Certs\<Service>\rui.key -name "rui" -passout pass:testpassword -out C:\Certs\<Service>\rui.pfx
注意: 重复上述命令,为 vCenter Server、vSphere Web Client 和 Log Browser 服务创建 rui.pfx 文件。
4.通过运行以下两个命令设置 JAVA 和 PATH 环境变量:
SET JAVA_HOME=C:\Program Files\Common Files\VMware\VMware vCenter Server - Java Components
SET PATH=%PATH%;C:\Program Files\VMware\Infrastructure\VMware\CIS\vmware-sso;%JAVA_HOME%\bin
5.启动 vCenter SSL 自动化工具(ssl-updater.bat 文件),并运行以下任务:
a.更新 Single Sign-On SSL 证书
b.更新 Inventory Service 到 Single Sign-On 的信任
c.更新 Inventory Service SSL 证书
d.更新 vCenter Server 到 Single Sign-On 的信任
注意: 此时请勿关闭 SSL 自动化工具,您可以稍后返回到该工具。
6.将新的 vCenter Server 服务证书置于 C:\ProgramData\VMware\Virtual Center\SSL\ 中:
mkdir "C:\ProgramData\VMware\VMware VirtualCenter\SSL\old"
move "C:\ProgramData\VMware\VMware VirtualCenter\SSL\rui*"
"C:\ProgramData\VMware\VMware VirtualCenter\SSL\old"
copy C:\Certs\vCenterServer\rui.* "C:\ProgramData\VMware\VMware VirtualCenter\SSL\"
7.通过运行以下命令重复 vCenter Server 服务数据库密码:
cd "C:\Program Files\VMware\Infrastructure\VirtualCenter Server\"
vpxd.exe -p
注意: 出现提示时,输入 vCenter Server 用来与 vCenter Server 数据库通信的帐户的密码。
8.通过运行以下命令列出注册到 Single Sign-On 的服务:
ssolscli listServices https://vc55.domain.com:7444/lookupservice/sdk Service 6
-----------
serviceId={715F8796-C93B-4F8D-ABD0-7B4EE6CDA9B3}:26
serviceName=vCenterService
type=urn:vc
endpoints={}
version=5.1
description=vCenter Server
ownerId=vCenterServer_XXXX.XX.XX_XXXXXX@System-Domain
productId=<null>
viSite={715F8796-C93B-4F8D-ABD0-7B4EE6CDA9B3}
9.检查并记录 vCenter Server 服务的 ownerID:
vCenterServer_XXXX.XX.XX_XXXXXX
注意: 请勿包括 ownerId= or @vsphere.local。
10.通过运行以下命令从 Single Sign-On 取消注册 vCenter Server serviceID:
ssolscli unregisterService -d https://vc55.domain.com:7444/lookupservice/sdk -u administrator@vsphere.local -p VMware123$ -si "C:\ProgramData\VMware\VMware VirtualCenter\LS_ServiceID.prop"
11.通过运行以下命令从 Single Sign-On 取消注册 vCenter Server SolutionUser:
ssolscli unregisterSolution -d https://vc55.domain.com:7444/lookupservice/sdk -u administrator@vsphere.local -p VMware123$ -su vCenterServer_XXXXXXXX
12.通过运行以下命令将 vCenter Server 重新注册到 Single Sign-On:
Unzip sso_svccfg.zip located at "C:\Program Files\VMware\Infrastructure\VirtualCenter Server\ssoregtool\"
cd "C:\Program Files\VMware\Infrastructure\VirtualCenter Server\ssoregtool\sso_svccfg"
repoint.cmd configure-vc --lookup-server https://vc55.domain.com:7444/lookupservice/sdk --user administrator@vsphere.local --password VMware123$ --openssl-path "C:\Program Files\VMware\Infrastructure\Inventory Service\bin/"
注意: 该命令完成但报告 VMware VirtualCenter Server 服务可能无法重新启动。 这在预料之中。 请继续执行下一步。
13.repoint.cmd 命令会将 vpxd.cfg 文件中的 certificate 和 privatekey 字段留空。 使用正确路径重新填充 vpxd.cfg 文件。
copy "C:\ProgramData\VMware\VMware VirtualCenter\vpxd.cfg" "C:\ProgramData\VMware\VMware VirtualCenter\vpxd.cfg.backup"
notepad "C:\ProgramData\VMware\VMware VirtualCenter\vpxd.cfg"
Find the <certificate> and <privateKey> tags as below
<solutionUser>
<certificate>null</certificate>
<name>vCenterServer_XXXX.XX.XX_XXXXXX</name>
<privateKey>null</privateKey>
</solutionUser>
Replace "null" with the correct paths to the vCenter Server rui.crt and rui.key
<solutionUser>
<certificate>C:\ProgramData\VMware\VMware VirtualCenter\ssl\rui.crt</certificate>
<name>vCenterServer_XXXX.XX.XX_XXXXXX</name>
<privateKey>C:\ProgramData\VMware\VMware VirtualCenter\ssl\rui.key</privateKey>
</solutionUser>
注意: 如果上述标记不存在,请进行添加。
14.通过运行以下命令启动 VMware VirtualCenter Server 服务:
net start vpxd
15.返回 vCenter SSL 自动化工具(ssl-updater.bat 文件),并运行以下任务:
a.更新 vCenter Server 到 Inventory Service 的信任
b.更新 Inventory Service 到 vCenter Server 的信任
c.更新 vCenter Orchestrator 到 Single Sign-On 的信任
d.更新 vCenter Orchestrator 到 vCenter Server 的信任
e.更新 vCenter Orchestrator SSL 证书
注意: Orchestrator 任务可选,具体取决于是否使用该组件。
16.通过运行以下命令列出注册到 Single Sign-On 的服务:
ssolscli listServices https://vc55.domain.com:7444/lookupservice/sdk Identify the Services for both Log Browser and vSphere Web Client
Service 5
-----------
serviceId= Default-First-Site:f0c6df23-47bb-47de-ab4f-2e3de4f65bcf
serviceName=VMware Log Browser
type=urn:logbrowser:logbrowser
endpoints={[url=https://vc55.domain.com:12443/vmwb/logbrowser,protocol=unknown],[url=https://vc55.domain.com:12443/authentication/authtoken,protocol=unknown]}version=1.0.2175565
description=Enables browsing vSphere log files within the VMware Web Client
ownerId= WebClient_XXXX.XX.XX_XXXXXX
productId=
viSite=Default-First-Site
Service 6
-----------
serviceId= Default-First-Site:37a10eec-7d36-415a-9266-507b5dee824c
serviceName=VMware vSphere Web Client
type=urn:com.vmware.vsphere.client
endpoints={[url=https://vc55.domain.com:9443/vsphere-client,protocol=vmomi]}
version=5.5
description=VMware vSphere Web Client Service
ownerId= WebClient_XXXX.XX.XX_XXXXXX
productId=
viSite=Default-First-Site
17.检查并记录 VMware vSphere Web Client 服务的 ownerID:
WebClient_XXXX.XX.XX_XXXXXX
18.通过运行以下命令为 Log Browser 和 vSphere Web Client 创建 service_id 文件:
echo Default-First-Site:f0c6df23-47bb-47de-ab4f-2e3de4f65bcf >> logbrowser_id
echo Default-First-Site:37a10eec-7d36-415a-9266-507b5dee824c >> webclient_id
19.通过运行以下命令从 Single Sign-On 取消注册 Log Browser serviceID:
ssolscli unregisterService -d https://vc55.domain.com:7444/lookupservice/sdk -u administrator@vsphere.local -p VMware123$ -si logbrowser_id
20.通过运行以下命令从 Single Sign-On 取消注册 vSphere Web Client serviceID:
ssolscli unregisterService -d https://vc55.domain.com:7444/lookupservice/sdk -u administrator@vsphere.local -p VMware123$ -si webclient_id
21.通过运行以下命令从 Single Sign-On 取消注册 vSphere Web Client SolutionUser:
ssolscli unregisterSolution -d https://vc55.domain.com:7444/lookupservice/sdk -u administrator@vsphere.local -p VMware123$ -su WebClient_XXXX.XX.XX_XXXXXX
注意: Web Client 和 Log Browser 服务仅有一个解决方案用户。
22.将新的 Log Browser 和 vSphere Web Client 证书复制到其各自位置:
mkdir "C:\ProgramData\VMware\vSphere Web Client\ssl\old"
move "C:\ProgramData\VMware\vSphere Web Client\ssl\rui*"
"C:\ProgramData\VMware\vSphere Web Client\ssl\old"
Copy "C:\Certs\vCenterWebClient\rui*" "C:\ProgramData\VMware\vSphere Web Client\ssl\"
mkdir "C:\Program Files\VMware\Infrastructure\vSphereWebClient\logbrowser\conf\old"
move "C:\Program Files\VMware\Infrastructure\vSphereWebClient\logbrowser\conf\rui*" "C:\Program Files\VMware\Infrastructure\vSphereWebClient\logbrowser\conf\old"
copy "C:\Certs\vCenterLogBrowser\rui*" "C:\Program Files\VMware\Infrastructure\vSphereWebClient\logbrowser\conf\"
23.将 Log Browser 和 vSphere Web Client 重新注册到 Single Sign-On:
cd C:\Program Files\VMware\Infrastructure\vSphereWebClient\scripts
client-repoint.bat https://vc55.domain.com:7444/lookupservice/sdk "administrator@vsphere.local" "VMware123$"
24.打开 Web 浏览器转到以下 URL,并验证提供的证书:
Single Sign-on https://vc55.domain.com:7444/lookupservice/sdk Inventory Service https://vc55.domain.com:10443 vCenter Server https://vc55.domain.com:443 vRealize Orchestrator [url=https://vc55.domain.com:8281/]https://vc55.domain.com:8281/
参考:
https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2139409
http://wenku.baidu.com/link?url=y0q8Xqqbt3aphhdWsYYBK_mqr1r1RRIQjORQNjoTrwUB655vxGKq8f7hjbQ05WL74nyMmteRsBA1K_f8uj5gM6kXV2eEFC3gQ8Npgdcs_Ha
1.以管理员身份打开提升的命令提示符。
2.将目录更改为 OpenSSL 二进制文件的位置。 VMware 使用安装到 Inventory Service 安装目录的 OpenSSL 二进制文件。
cd "C:\Program Files\VMware\Infrastructure\Inventory Service\bin"
3.通过运行 OpenSSL 命令创建 PFX 文件:
openssl pkcs12 -export -in C:\Certs\<Service>\chain.pem -inkey C:\Certs\<Service>\rui.key -name "rui" -passout pass:testpassword -out C:\Certs\<Service>\rui.pfx
注意: 重复上述命令,为 vCenter Server、vSphere Web Client 和 Log Browser 服务创建 rui.pfx 文件。
4.通过运行以下两个命令设置 JAVA 和 PATH 环境变量:
SET JAVA_HOME=C:\Program Files\Common Files\VMware\VMware vCenter Server - Java Components
SET PATH=%PATH%;C:\Program Files\VMware\Infrastructure\VMware\CIS\vmware-sso;%JAVA_HOME%\bin
5.启动 vCenter SSL 自动化工具(ssl-updater.bat 文件),并运行以下任务:
a.更新 Single Sign-On SSL 证书
b.更新 Inventory Service 到 Single Sign-On 的信任
c.更新 Inventory Service SSL 证书
d.更新 vCenter Server 到 Single Sign-On 的信任
注意: 此时请勿关闭 SSL 自动化工具,您可以稍后返回到该工具。
6.将新的 vCenter Server 服务证书置于 C:\ProgramData\VMware\Virtual Center\SSL\ 中:
mkdir "C:\ProgramData\VMware\VMware VirtualCenter\SSL\old"
move "C:\ProgramData\VMware\VMware VirtualCenter\SSL\rui*"
"C:\ProgramData\VMware\VMware VirtualCenter\SSL\old"
copy C:\Certs\vCenterServer\rui.* "C:\ProgramData\VMware\VMware VirtualCenter\SSL\"
7.通过运行以下命令重复 vCenter Server 服务数据库密码:
cd "C:\Program Files\VMware\Infrastructure\VirtualCenter Server\"
vpxd.exe -p
注意: 出现提示时,输入 vCenter Server 用来与 vCenter Server 数据库通信的帐户的密码。
8.通过运行以下命令列出注册到 Single Sign-On 的服务:
ssolscli listServices https://vc55.domain.com:7444/lookupservice/sdk Service 6
-----------
serviceId={715F8796-C93B-4F8D-ABD0-7B4EE6CDA9B3}:26
serviceName=vCenterService
type=urn:vc
endpoints={}
version=5.1
description=vCenter Server
ownerId=vCenterServer_XXXX.XX.XX_XXXXXX@System-Domain
productId=<null>
viSite={715F8796-C93B-4F8D-ABD0-7B4EE6CDA9B3}
9.检查并记录 vCenter Server 服务的 ownerID:
vCenterServer_XXXX.XX.XX_XXXXXX
注意: 请勿包括 ownerId= or @vsphere.local。
10.通过运行以下命令从 Single Sign-On 取消注册 vCenter Server serviceID:
ssolscli unregisterService -d https://vc55.domain.com:7444/lookupservice/sdk -u administrator@vsphere.local -p VMware123$ -si "C:\ProgramData\VMware\VMware VirtualCenter\LS_ServiceID.prop"
11.通过运行以下命令从 Single Sign-On 取消注册 vCenter Server SolutionUser:
ssolscli unregisterSolution -d https://vc55.domain.com:7444/lookupservice/sdk -u administrator@vsphere.local -p VMware123$ -su vCenterServer_XXXXXXXX
12.通过运行以下命令将 vCenter Server 重新注册到 Single Sign-On:
Unzip sso_svccfg.zip located at "C:\Program Files\VMware\Infrastructure\VirtualCenter Server\ssoregtool\"
cd "C:\Program Files\VMware\Infrastructure\VirtualCenter Server\ssoregtool\sso_svccfg"
repoint.cmd configure-vc --lookup-server https://vc55.domain.com:7444/lookupservice/sdk --user administrator@vsphere.local --password VMware123$ --openssl-path "C:\Program Files\VMware\Infrastructure\Inventory Service\bin/"
注意: 该命令完成但报告 VMware VirtualCenter Server 服务可能无法重新启动。 这在预料之中。 请继续执行下一步。
13.repoint.cmd 命令会将 vpxd.cfg 文件中的 certificate 和 privatekey 字段留空。 使用正确路径重新填充 vpxd.cfg 文件。
copy "C:\ProgramData\VMware\VMware VirtualCenter\vpxd.cfg" "C:\ProgramData\VMware\VMware VirtualCenter\vpxd.cfg.backup"
notepad "C:\ProgramData\VMware\VMware VirtualCenter\vpxd.cfg"
Find the <certificate> and <privateKey> tags as below
<solutionUser>
<certificate>null</certificate>
<name>vCenterServer_XXXX.XX.XX_XXXXXX</name>
<privateKey>null</privateKey>
</solutionUser>
Replace "null" with the correct paths to the vCenter Server rui.crt and rui.key
<solutionUser>
<certificate>C:\ProgramData\VMware\VMware VirtualCenter\ssl\rui.crt</certificate>
<name>vCenterServer_XXXX.XX.XX_XXXXXX</name>
<privateKey>C:\ProgramData\VMware\VMware VirtualCenter\ssl\rui.key</privateKey>
</solutionUser>
注意: 如果上述标记不存在,请进行添加。
14.通过运行以下命令启动 VMware VirtualCenter Server 服务:
net start vpxd
15.返回 vCenter SSL 自动化工具(ssl-updater.bat 文件),并运行以下任务:
a.更新 vCenter Server 到 Inventory Service 的信任
b.更新 Inventory Service 到 vCenter Server 的信任
c.更新 vCenter Orchestrator 到 Single Sign-On 的信任
d.更新 vCenter Orchestrator 到 vCenter Server 的信任
e.更新 vCenter Orchestrator SSL 证书
注意: Orchestrator 任务可选,具体取决于是否使用该组件。
16.通过运行以下命令列出注册到 Single Sign-On 的服务:
ssolscli listServices https://vc55.domain.com:7444/lookupservice/sdk Identify the Services for both Log Browser and vSphere Web Client
Service 5
-----------
serviceId= Default-First-Site:f0c6df23-47bb-47de-ab4f-2e3de4f65bcf
serviceName=VMware Log Browser
type=urn:logbrowser:logbrowser
endpoints={[url=https://vc55.domain.com:12443/vmwb/logbrowser,protocol=unknown],[url=https://vc55.domain.com:12443/authentication/authtoken,protocol=unknown]}version=1.0.2175565
description=Enables browsing vSphere log files within the VMware Web Client
ownerId= WebClient_XXXX.XX.XX_XXXXXX
productId=
viSite=Default-First-Site
Service 6
-----------
serviceId= Default-First-Site:37a10eec-7d36-415a-9266-507b5dee824c
serviceName=VMware vSphere Web Client
type=urn:com.vmware.vsphere.client
endpoints={[url=https://vc55.domain.com:9443/vsphere-client,protocol=vmomi]}
version=5.5
description=VMware vSphere Web Client Service
ownerId= WebClient_XXXX.XX.XX_XXXXXX
productId=
viSite=Default-First-Site
17.检查并记录 VMware vSphere Web Client 服务的 ownerID:
WebClient_XXXX.XX.XX_XXXXXX
18.通过运行以下命令为 Log Browser 和 vSphere Web Client 创建 service_id 文件:
echo Default-First-Site:f0c6df23-47bb-47de-ab4f-2e3de4f65bcf >> logbrowser_id
echo Default-First-Site:37a10eec-7d36-415a-9266-507b5dee824c >> webclient_id
19.通过运行以下命令从 Single Sign-On 取消注册 Log Browser serviceID:
ssolscli unregisterService -d https://vc55.domain.com:7444/lookupservice/sdk -u administrator@vsphere.local -p VMware123$ -si logbrowser_id
20.通过运行以下命令从 Single Sign-On 取消注册 vSphere Web Client serviceID:
ssolscli unregisterService -d https://vc55.domain.com:7444/lookupservice/sdk -u administrator@vsphere.local -p VMware123$ -si webclient_id
21.通过运行以下命令从 Single Sign-On 取消注册 vSphere Web Client SolutionUser:
ssolscli unregisterSolution -d https://vc55.domain.com:7444/lookupservice/sdk -u administrator@vsphere.local -p VMware123$ -su WebClient_XXXX.XX.XX_XXXXXX
注意: Web Client 和 Log Browser 服务仅有一个解决方案用户。
22.将新的 Log Browser 和 vSphere Web Client 证书复制到其各自位置:
mkdir "C:\ProgramData\VMware\vSphere Web Client\ssl\old"
move "C:\ProgramData\VMware\vSphere Web Client\ssl\rui*"
"C:\ProgramData\VMware\vSphere Web Client\ssl\old"
Copy "C:\Certs\vCenterWebClient\rui*" "C:\ProgramData\VMware\vSphere Web Client\ssl\"
mkdir "C:\Program Files\VMware\Infrastructure\vSphereWebClient\logbrowser\conf\old"
move "C:\Program Files\VMware\Infrastructure\vSphereWebClient\logbrowser\conf\rui*" "C:\Program Files\VMware\Infrastructure\vSphereWebClient\logbrowser\conf\old"
copy "C:\Certs\vCenterLogBrowser\rui*" "C:\Program Files\VMware\Infrastructure\vSphereWebClient\logbrowser\conf\"
23.将 Log Browser 和 vSphere Web Client 重新注册到 Single Sign-On:
cd C:\Program Files\VMware\Infrastructure\vSphereWebClient\scripts
client-repoint.bat https://vc55.domain.com:7444/lookupservice/sdk "administrator@vsphere.local" "VMware123$"
24.打开 Web 浏览器转到以下 URL,并验证提供的证书:
Single Sign-on https://vc55.domain.com:7444/lookupservice/sdk Inventory Service https://vc55.domain.com:10443 vCenter Server https://vc55.domain.com:443 vRealize Orchestrator [url=https://vc55.domain.com:8281/]https://vc55.domain.com:8281/
参考:
https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2139409
http://wenku.baidu.com/link?url=y0q8Xqqbt3aphhdWsYYBK_mqr1r1RRIQjORQNjoTrwUB655vxGKq8f7hjbQ05WL74nyMmteRsBA1K_f8uj5gM6kXV2eEFC3gQ8Npgdcs_Ha
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 
相关文章推荐
- VMware vCenter Server Appliance 5.5内置集成数据库的备份和恢复
- VMware vCenter Server Appliance 5.5 重置密码
- VMware vCenter Server 5.5 安装测试与体会
- VMware vCenter Server Appliance 5.5 內置數據庫備份與恢復簡易方法
- VMware vCenter Server Appliance 密码过期
- VMware vCenter Server 5.5 安装测试与体会
- 替换vCenter Server 5.5 自签名证书
- VMware vCenter Server Appliance 密码过期
- 优化 VMware vCenter Server Appliance 5.5
- VMware vCenter Server 5.5 安装测试与体会
- VMware vCenter Server Appliance 5.5 重置密码
- VMware从零开始学习之02 vCenter Server 5.5简单介绍
- VMware vSphere vCenter Server 4.0 安装简介 图解 (一)
- SSL 证书服务 Windows Server 2008 R2 server 2008 R2 启用https
- VMware VCenter Server Appliance (vCSA)
- 如何在 Web 发布规则中使用证书进行 SSL 身份验证
- (运维)VMware-vCenter-Server-Appliance-5.0安装与部署
- VMware-vCenter-Server-Appliance-5.0安装与部署
- VMware vCenter Server Heartbeat 6.5安装教程
- Visual Studio 2005 ClickOnce 应用程序,用于对安装进行签名的证书过期