LAB-27 TASKS (Part 1)
In this Lab we perform following tasks
- Preparing the vCloud Director Cell-1 Server
- Install vCloud Director on Cell-1
- Configure the Transfer Location
- Signed SSL Certificate Installation for vCloud Director (Cell-1) Server
1-Preparing the vCloud Director Cell-1 Server.
Use SCP to move the downloaded vCloud Director .bin file into cloud-cell1 server.
Login to cLoud-Cell1 Server Shell using SSH or Console. I have placed the “vmware-cloud-director-5.5.0-1323688.bin” file into /root directory.
Go to Root home directory and verify.
# cd /root
Make the .bin file executable. So we can start the installation
Install RPM for vCloud
Following packages are required by the vCloud directory for start insatllation.
#yum install alsa-lib bash chkconfig coreutils findutils glibc grep initscripts krb5-libs libgcc libICE libSM libstdc libX11 libXau libXdmcp libXext libXi libXt libXtst module-init-tools net-tools pciutils procps redhat-lsb sed tar which
*NOTE: I have yum configured. If you have not then make sure these packages are available before starting the VMware vCloud installation script*
Test SQL Connection
Before installing Check connection with SQL server and make sure firewall in not blocking his port.
#telnet cloud-sql.vmlab.com 1433
*NOTE: 1433 is sql server port also make sure telnet utility is installed before run the cmd*
By default when you copy vcloud directory .bin file to cloud machine. It’s not executable. You should make him executable using below cmd in order to run (execute) the script.
#chmod +x vmware-cloud-director-5.5.0-1323688.bin
Verify. Green color show its executable now. Let’s start the installation
2-Install vCloud Director on Cell-1
Run the VMware vCloud director script to start installation.
Once the installer has completed, you will prompt to run the configuration script, choose “N”, there is further steps which you need to complete before proceeding to configuration
3-Configure the Transfer Location
If you plan on having more than one vCloud Director Cell server for resilience or performance reasons, then you’ll need a shared area of storage presented via NFS or some other form of shared storage that is accessible from all of the cell servers with the root account having write permissions.
The transfer location is used to store virtual machines and media that are being uploaded to the vCloud UI. It only stores transient data and so doesn’t necessarily need to be backed up. But you should size it to be able to cope with the largest number of concurrent upload activities you plan for your environment.
In high-traffic environments or those with a policy that requires any IP storage to be isolated to a separate network, you may need a separate NIC for your cell server to carry such traffic to and from your shared storage. All cell servers need to mount the transfer location specified in an environment variable to be recognized by vCloud Director:
For configuration transfer location you need a NFS volume to mount. I already created a NFS for cloud transfer location.
To mount the NFS share on cloud-cell1 you need to install following packages. Go to shell or console and run the below cmd.
#yum install nfs-utils rpcbind
Start the rpcbind service
#service rpcbind start
Make “rpcbind” service to start automatically at boot time.
#chkconfig rpcbind –level 35 rpcbind on
Now check the NFS mount point which exists on our cloud-vsan.
#showmount –e cloud-vsan.vmlab.com
It will show you all the mount point available on this (cloud-vsan) server.
You need to mount the transfer storage using the following command
#mount vcloud-vsan.vmlab.com:/mnt/vg_cloud-transfer1/lv_cloud_transfer1/nfs_cloud_transfer1 /opt/vmware/vcloud-director/data/transfer/
First, we make sure that “vcloud” user and group have rights to the transfer location:
#chown –R vcloud:vcloud /opt/vmware/vcloud-director/data/transfer/
Go to /opt/vmware/vcloud-director/data/transfer/ mount point and create a file and then remove it. It will verify that your directory have the correct (read/write) permissions.
If it mounts correctly, then you should make this a persistent mount on every reboot. You do this by editing the “ /etc/fstab”
Add vcloud-vsan.vmlab.com:/mnt/vg_cloud-transfer1/lv_cloud_transfer1/nfs_cloud_transfer1 /opt/vmware/vcloud-director/data/transfer/ nfs rw 0 0
To test the fstab setting, first un-mount the /opt/vmware/vcloud-director/data/transfer/ mount point
Below cmd reads “fstab” configuration and mount accordingly.
To verify use
4-Signed SSL Certificate Installation for vCloud Director (Cell-1) Server
VMware vCloud requires one SSL certificate for each network interface on the host. Each server host in a VMware vCloud Director Cluster must have two IP addresses (one for the HTTP service and one for the console proxy service) and must be capable of establishing an SSL connection at each.
You must have to install java in order to generate the certificate.
To confirm the version of Java, run the command:
# java –version
As you can see I already have the java install.
If you don’t have then run the below cmd to install the java
#yum install java-1.7.0-openjdk.x86_64 (java version may vary from Linux version to version)
You need to run the Java binaries from the /opt/vmware/vcloud-director/jre/bin/ folder.
1-Using a SSL Certificate Signed by a Public or Internal Authority
Generating a Certiﬁcate Signing Request
Login to VM using console or SSH
You should create a directory where you can store you certificates.
Switch into the directory
# cd Cell1Cert
The steps to generate the requests are as follows
- Generate an untrusted certificate for the HTTP service:
# /opt/vmware/vcloud-director/jre/bin/keytool –keystore vCerts.ks -storetype JCEKS –storepass YourPassword -genkey -keyalg RSA -alias http
*NOTE: you must type this cmd manually rather than copy and paste to avoid any error*
In first question (what is your first and last name?)
I used the name “vcloud.vmware.lab”. It is because I want to deploy my cloud cells in load balance and HA mode. This is my virtual IP FQDN for http.
- Create a certificate signing request (CSR) for this certificate:
#/opt/vmware/vcloud-director/jre/bin/keytool –keystore vCerts.ks -storetype JCEKS –storepass YourPassword -certreq -alias http –file cell1-http.csr
- Create an unsigned certificate for the console proxy service:
# /opt/vmware/vcloud-director/jre/bin/keytool –keystore vCerts.ks -storetype JCEKS –storepass YourPassword -genkey -keyalg RSA -alias consoleproxy
In first question (what is your first and last name?)
I used the name “vcloud-vmrc.vmware.lab”. It is because I want to deploy my cloud cells in load balance and HA mode. This is my virtual IP FQDN for consoleproxy.
- Create a CSR for this certificate:
#/opt/vmware/vcloud-director/jre/bin/keytool –keystore vCerts.ks -storetype JCEKS –storepass YourPassword -certreq -consoleproxy http –file cell1-consoleproxy.csr
Check the certificate files in Cell1Cert directory.
You’ll now need to take these CSR contents to your public/Internal CA or corporate PKI service for them to sign and issue a valid certificate.
Now go to “Cloud-CA” server to get the certificate against the request we generated above.
For Microsoft CA’s (Generate Certificate http):
Log in to the Microsoft CA certificate authority web interface. By default, it is http://<servername>/CertSrv/
Click “Request a certificate”.
Click “advanced certificate request”.
Click “Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file”.
Open the certificate request (cell1-http.csr) file in a plain text editor.
Copy from —–BEGIN CERTIFICATE REQUEST—– to —–END CERTIFICATE REQUEST—– into the Saved Request box. Make sure no blank space exists in the start and end.
Click “VMWare Template” (which we created in CA Server installation section).
Click “Submit” to submit the request.
Click “Base 64 encoded” on the Certificate issued screen.
Click “Download” Certificate.
*NOTE: Save the certificate on the desktop or any other drive of the server as “cell1-http.crt”*
For Microsoft CA’s (Generate Certificate Consoleproxy):
Repeat the same steps to generate the certificate for cell-1-consoleproxy. This time use “cell1-consoleproxy.csr” file to generate request.
For Microsoft CA’s (Download the Root CA):
Click on Download a “CA Certificate, certificate chain, or CRL”
Select “Base 64”. Click “download CA certificate” to download root CA.
Here is the final directory structure. copy this folder back to cloud-cell1 server.
Obtain a copy of the root certificate from your CA and import it into your certificate keystore; if you fail to do so, the cell won’t automatically trust your root CA and vCloud Director will issue warnings during installation.
Importing Signed certificate as follows
- Import the Root certificate as follows
#/opt/vmware/vcloud-director/jre/bin/keytool -storetype JCEKS -storepass YourPassword -keystore vCerts.ks -import -alias root -file root.cer
- Import the signed certificate for the HTTP service as follows
#opt/vmware/vcloud-director/jre/bin/keytool -storetype JCEKS -storepass YourPassword -keystore vCerts.ks -import -alias http -file cell1-http.crt
- Import the signed certificate for the console proxy service as follows
#/opt/vmware/vcloud-director/jre/bin/keytool -storetype JCEKS -storepass YourPassword -keystore vCerts.ks -import -alias consoleproxy -file cell1-consoleproxy.crt
- Check that the certificates have been correctly imported to your certificates as follows
#/opt/vmware/vcloud-director/jre/bin/keytool -storetype JCEKS -storepass YourPassword -keystore vCerts.ks –list