VMware vSphere Integrated Containers Standup - Part 1
I recently got asked to stand up VMware vSphere Integrated Containers (VIC). I have to say it has been a great learning experience. This is the process I took to setup the whole system in my VMware environments.
In Part 1 I will go over how to properly create the Windows Certificate Authority Template ,generate certificates to stand up the VIC Appliance, or what I like to call the VICA, Deploy VICA, and connect VICA to your VCSA.
Why use certificates with containers? This is presently the only real way to secure Docker Containers and control the build/deployment process.
Requirements
This document requires you have a PKI infrastructure in place using a Windows CA server on a Windows Domain. This document is designed using a Windows 10 OS based workstation and uses PowerShell/PowerCLI for most things. If you do not have a CA, please either stand this up in your infrastructure or do not follow this document. Docker for Windows only supports Windows x64 version, so this document assumes you will only be using a 64-bit operating system and 64-bit based OpenSSL application.
Notes
Make sure to read all the documentation about spinning up the VIC and VCH VMs prior to starting this process. Documentation can be found here: https://vmware.github.io/vic-product/assets/files/html/1.5/
Download Files
Download the vSphere Integrated Containers Appliance (VICA): https://my.vmware.com/en/web/vmware/info/slug/datacenter_cloud_infrastructure/vmware_vsphere_integrated_containers/1_5
OpenSSL (install on your Windows 10 workstation):
NotePad++ (install on your Windows 10 workstation):
Docker For Windows (Install on Windows 10 Workstation):
Step 1 - Create a Windows CA Template
Create/Publish a Windows CA Certificate Template for use with VMware VIC. Below are screen shots of what a typical CA Template should look like. A special requirement for this Template is it requires both Client and Server Authentication. In most cases you should copy the Web Server CA template and then modify it look like the below screen shots. Here is a good example site of how to copy a Web Template and deploy it in your infrastructure: https://www.mowasay.com/2017/06/pki-ca-manage-certificate-templates/
Note: Make sure to give your Windows AD user account rights to read and enroll for this CA Template
Step 2 - Verify the Certificate Template in PowerShell
Now that your CA template has been published, let’s verify you can see it via a PowerShell command.
Run the below to get a list of CA Templates
Open PowerShell on your workstation
Run the below command:
certutil -template | Select-String -Pattern TemplatePropCommonName
Verify you see the newly created CA Template you published earlier
Step 3 - Gather the internal Certificate Authority Certificates that are stored on your workstation
Option A: Automated using PowerShell
Note: Must be run using Administrative PowerShell
Open PowerShell.
Run the below command
certutil -config - -ping
You will see a picture like above. This will tell you the name of the CAs in your environment.
Document the names of all the CA servers in your environment. If you have more than 1 CA server you will want to ask your Domain Admins what the PKI hierarchy is for your company. This will ensure you make the proper CA certificate files used later in the build process.
Run the below command to export CA certificate Authority Certificates from your PC for later use. You can also download this script from my GitHub here: https://github.com/butch7903/VMware_vSphere_Integrated_Containers/blob/master/Generate%20Root%20and%20Intermediate%20Certificates.ps1
#Customizable Variables $Domain = "hamker" #Note: Example Domain hamker.local is represented as hamker. DO NOT Use the FQDN of your domain. If you wish to target only a subdomain, use the subdomain in this variable $OpenSSLLocation = "C:\Program Files\OpenSSL-Win64\bin" #x64 Version
#Standard Variables $DATE = Get-date #Todays Date. Used to verify a CA Certicate is still valid $RootCerts = get-childitem -path Cert:\LocalMachine\Root | Sort Subject | Where {$_.Subject -match $Domain -and $_.NotAfter -gt $DATE} $InterCerts = get-childitem -path Cert:\LocalMachine\CA | Sort Subject | Where {$_.Subject -match $Domain -and $_.NotAfter -gt $DATE}
###Test if OpenSSL is Installed ##Specify OpenSSL version. If you have a 64-bit OS, use the x64 version. If you have a 32-bit OS, use the x86 version #$OPENSSL = get-item "C:\Program Files (x86)\OpenSSL-Win32\bin\OpenSSL.exe" -ErrorAction SilentlyContinue ##x86 version $OPENSSL = get-item "C:\Program Files\OpenSSL-Win64\bin\OpenSSL.exe" -ErrorAction SilentlyContinue ##x64 version IF(!$OPENSSL) { Write-Warning "OpenSSL is not installed" Write-Warning "Please download and install OpenSSL" Write-Warning "Download similar to version Win64 OpenSSL v1.1.1b Light" Write-Warning "https://slproweb.com/products/Win32OpenSSL.html" Write-Warning "Example downlod would be https://slproweb.com/download/Win64OpenSSL_Light-1_1_1b.msi" write-host "Press any key to continue..." [void][System.Console]::ReadKey($true) #Start-Sleep #EXIT }else{ Write-Host "Verified: OpenSSL has been properly installed" -ForegroundColor Green }
###Verify that OpenSSL is installed IF($OPENSSL) { #Make Folders to store Certs in New-item -Path C:\certs -Type Directory -ErrorAction SilentlyContinue New-item -Path C:\certs\CAs -Type Directory -ErrorAction SilentlyContinue New-item -Path C:\certs\CAs\Root -Type Directory -ErrorAction SilentlyContinue New-item -Path C:\certs\CAs\Intermediate -Type Directory -ErrorAction SilentlyContinue New-item -Path C:\certs\CAs\Combined -Type Directory -ErrorAction SilentlyContinue
##Save Root Certs to Root Folder ForEach($Cert in $RootCerts) { $CertPath = “cert:\LocalMachine\Root\”+$Cert.Thumbprint $CertDNSName = $cert.DNSNameList.unicode $CertFilePath = “c:\certs\CAs\Root\$CertDNSName-DER.cer” Export-Certificate -Cert $CertPath -FilePath $CertFilePath -Type CERT } $Cert=$null ##Save Intermeidate Certs to Intermediate Folder ForEach($Cert in $InterCerts) { $CertPath = “cert:\LocalMachine\CA\”+$Cert.Thumbprint $CertDNSName = $cert.DNSNameList.unicode $CertFilePath = “c:\certs\CAs\Intermediate\$CertDNSName-DER.cer” Export-Certificate -Cert $CertPath -FilePath $CertFilePath -Type CERT } $RootCertFolder = “c:\certs\CAs\Root\” $RootCertFolderContents = Get-ChildItem -Path $RootCertFolder $InterCertFolder = “c:\certs\CAs\Intermediate\” $InterCertFolderContents = Get-ChildItem -Path $InterCertFolder cd $OpenSSLLocation ##Convert DER Files to PEM Format $RootLIST = @() ForEach($Cert in $RootCertFolderContents) { $Temp ="" $DERFULLNAME = $Cert.FullName $PEMFULLNAME = $DERFULLNAME.Replace(“DER”,”PEM”) $PEMFULLNAME = $PEMFULLNAME.Replace(“.cer”,”.pem”) $Temp = $PEMFULLNAME .\openssl.exe x509 -inform DER -in $DERFULLNAME -outform PEM -out $PEMFULLNAME $RootLIST += $TEMP } $InterLIST = @() ForEach($Cert in $InterCertFolderContents) { $Temp ="" $DERFULLNAME = $Cert.FullName $PEMFULLNAME = $DERFULLNAME.Replace(“DER”,”PEM”) $PEMFULLNAME = $PEMFULLNAME.Replace(“.cer”,”.pem”) $Temp = $PEMFULLNAME .\openssl.exe x509 -inform DER -in $DERFULLNAME -outform PEM -out $PEMFULLNAME $InterLIST += $Temp } ##Make Combined Root/Intermediate Cert PEM File ForEach($FILE in $InterList) { $Answer = Compare-Object -ReferenceObject $(Get-Content $RootList) -DifferenceObject $(Get-Content $InterList) If(!$Answer) { Write-Host 'Only 1 internal CA in the PKI environment' $NUM = $File.LastIndexOf('\') $NUM = $NUM + 1 $FILENAME = $FILE.SubString($NUM) $FILENAME = $FILENAME.trim(".pem") IF($FILENAME.Contains("\")) { $SUBFILENAME = Split-Path -Path $FILENAME -Leaf Copy-item $InterList –Destination “c:\certs\CAs\Combined\CombinedCA_$SUBFILENAME.pem” }Else{ Copy-item $InterList –Destination “c:\certs\CAs\Combined\CombinedCA_$FILENAME.pem” } Write-Host 'CA File generated for VIC and VCH Usage at:' Write-Host "c:\certs\CAs\Combined\CombinedCA_$FILENAME.pem" -ForegroundColor Green } If($Answer) { Write-Host 'Certificate Chain has been implemented, Attempting to create Combined CA file(s)' $O = .\openssl x509 -noout -subject -issuer -in $FILE $0 = $O[0] $0 = $0 -creplace '(?s)^.*= ', '' $1 = $O[1] $1 = $1 -creplace '(?s)^.*= ', '' $Compare = Compare-Object -ReferenceObject $0 -DifferenceObject $1 IF(!$Compare) { $FILENAME = $FILE.SubString($NUM) $FILENAME = $FILENAME.trim(".pem") IF($FILENAME.Contains("\")) { $SUBFILENAME = Split-Path -Path $FILENAME -Leaf Copy-item $InterList –Destination “c:\certs\CAs\Combined\CombinedCA_$SUBFILENAME.pem” }Else{ Copy-item $InterList –Destination “c:\certs\CAs\Combined\CombinedCA_$FILENAME.pem” } Write-Host 'Only 1 internal CA in the PKI environment' Write-Host 'CA File generated for VIC and VCH Usage at:' Write-Host "c:\certs\CAs\Combined\CombinedCA_$FILENAME.pem" -ForegroundColor Green } IF($Compare) { Write-Host 'Intermediate CA has a Root CA' $RootCA = $1.Split(‘.’)[0] $RootCertFile = (Get-ChildItem -Path “c:\certs\CAs\Root” | Where {$_.fullname -match $RootCA-and $_.Extension -eq ".pem"} ).FullName $RootCertFileContent = Get-Content $RootCertFile $InterCertFileContent = Get-Content $File Write-Host “Combining Intermediate and Root PEM Files into single joined File” $InterCertFileContent | Out-File -FilePath “c:\certs\CAs\Combined\CombinedCA_$0.pem” -Append $RootCertFileContent | Out-File -FilePath “c:\certs\CAs\Combined\CombinedCA_$0.pem” -Append Write-Host 'CA File generated for VIC and VCH Usage at:' Write-Host "c:\certs\CAs\Combined\CombinedCA_$0.pem" -ForegroundColor Green
} #Copy-item $InterList –Destination “c:\certs\CAs\Combined\CombinedCA.pem” } } }
This will generate a C:\Certs\CAs Folder. Inside you will find 3 other folders including Root, Intermediate, and Combined.
Open the C:\Certs\CAs\Combined folder. Inside you will have the PEM based certificate files we need.
Note: You will need to review these PEM files, as you may have multiple CAs in your environment. You will want to select the PEM File based on the CA that you will be getting your certificates from in the near future.
Copy the full file path of the PEM file that you will be using from the Combined Folder.
Option B: Manually create CA Certificate File(s) for later use
Note: This does still require some minimal PowerShell, I recommend going with Option A if possible.
On the desktop you are on, click on Start, Run
If asked, click Yes to Allow this app to make changes to your device:
Click on File, Click on Add/Remove Snap-in
Click on Certificates. Click on Add.
Click on “Computer Account” and click Next
Verify that Local Computer is selected, Click on Finish
Click OK
Expand Certificates (Local Computer) by clicking on the carrot
Expand Trusted Root Certification Authorities
Select the Certificates Folder
Browse for your CA
Right click your CA, Click All Tasks, Export…. (in this example sandbox-SANDCA01-CA-1 is used)
Click on Next
Verify that DER Encoded is selected, Click on Next
Click on Browse, save in C:\Certs\CAs\Root. Use name: CAName.cer (example SANDCA01.cer)
If you created the certificate from an intermediate CA, do this same process to export the intermediate CAs DER based CER files. Call the name CAName0x.cer. If you do not have an intermediate CA, skip the next 2 steps.
If intermediate CAs exist, use below command to convert cer files to PEM format (example SANDCA01.cer, SANDCA02.cer, SANDCA03.cer)
$OpenSSLLocation = "C:\Program Files\OpenSSL-Win64\bin" #x64 Version
$ROOTCAFile = “C:\Certs\CAs\Root\YOURCAFILENAMEHERE.cer”
$ROOTCAFOLDER = “C:\Certs\CAs\Root\”
$IntermediateCAFile = “C:\Certs\Intermediate\YOURCAFILENAMEHERE.cer”
$IntermediateCAFolder = “C:\Certs\Intermediate\”
cd $OpenSSLLocation
.\openssl x509 -inform DER -in $ROOTCAFile -outform PEM -out $ROOTCAFOLDER”YOURCAFILENAMEHER.pem”
.\openssl x509 -inform DER -in $IntermediateCAFile -outform PEM -out $IntermediateCAFolder” YOURCAFILENAMEHER.pem”
If intermediate CAs exist, you will need to combine the Root and Intermediate CA PEM files into 1 PEM file. Format should be like below.
NOTE: You must ONLY use the CAs that are in the path for the fullchain cert. Do not put CAs in the file if they are not part of the certificate path.
Contents of intermediate CA cer file Contents of intermediate CA (if multiple exist) cer file Contents of Root CACommand (example sandca01.pem, sandca02.pem, sandca03.pem)
type sandca03.pem sandca02.pem sandca01.pem > CAName-fullchain.pem
The above saves the file as CAName-fullchain.pem
If CAName.cer is all that exists use the below command to convert the CER file to PEM format (example is SANDCA01.cer)
$OpenSSLLocation = "C:\Program Files\OpenSSL-Win64\bin" #x64 Version
$ROOTCAFile = “C:\Certs\CAs\Root\SANDCA01.cer”
$ROOTCAFOLDER = “C:\Certs\CAs\Root\”
cd $OpenSSLLocation
.\openssl x509 -inform DER -in $ROOTCAFile -outform PEM -out $ROOTCAFOLDER”SANDCA01.pem”
Step 4 - Create the VICA Certificates and Deploy the Appliance
In this section we will generate certificates for use with the vSphere Integrated Containers Applaince, or VIC, and deploy the VIC Appliance into your environment. There are 2 methodologies to follow for this. Option A is to run a single PowerShell/PowerCLI script that does all these tasks for you. Option B requires you generate the certificate in a more manual process and then use PowerShell to deploy the VIC.
Option A: Generate the Certificates with PowerShell and Deploy the VIC
You can use PowerShell/PowerCLI script to complete generating all the certificate files for use with the VICA. This same script will also deploy the VICA to a VMware host via vCenter. This is my recommended method as the whole process is automated with the script.
Modify the below script (also found at my GitHub here: Generate VIC Certificate Files and Deploy Management Appliance.ps1 )
Note: The bold areas will need to be replaced with your environment variables. Also note to make sure and run PowerShell as Administrator to run this script.
After the Script Completes, go to Verify VICA Deployment (Step 6)
<# .NOTES =========================================================================== Created by: Russell Hamker Date: April 11, 2019 Version: 1.0 Twitter: @butch7903 GitHub: https://github.com/butch7903 ===========================================================================
.SYNOPSIS This script automates the full server build process for vSphere Integrated Containers. This includes generating all certificates using a Windows CA and CA Template. You must open this script and change the variables to match your environment and then execute the PS1 file.
.DESCRIPTION Use this script to build the vSphere Integrated Containers Appliance. Fill in the variables and then simply run this script to automate the process of deploying vSphere Integrated Containers.
.NOTES #>
##Check if Modules are installed, if so load them, else install them if (Get-InstalledModule -Name VMware.PowerCLI -MinimumVersion 11.1.0) { Write-Host "-----------------------------------------------------------------------------------------------------------------------" Write-Host "PowerShell Module VMware PowerCLI required minimum version was found previously installed" Write-Host "Importing PowerShell Module VMware PowerCLI" Import-Module -Name VMware.PowerCLI Write-Host "Importing PowerShell Module VMware PowerCLI Completed" $POWERCLIVERSION = get-installedmodule VMware.PowerCLI | Select Name, Version Write-Host "PowerCLI Version is:"($POWERCLIVERSION.Version) Write-Host "-----------------------------------------------------------------------------------------------------------------------" #CLEAR } else { Write-Host "-----------------------------------------------------------------------------------------------------------------------" Write-Host "PowerShell Module VMware PowerCLI does not exist" Write-Host "Setting Micrsoft PowerShell Gallery as a Trusted Repository" Set-PSRepository -Name PSGallery -InstallationPolicy Trusted Write-Host "Verifying that NuGet is at minimum version 2.8.5.201 to proceed with update" Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force -Confirm:$false Write-Host "Uninstalling any older versions of the VMware PowerCLI Module" Get-InstalledModule -Name VMware.PowerCLI -AllVersions | Uninstall-Module -Force Write-Host "Checking if VMware PowerCLI is still showing as Installed" $POWERCLI = Import-Module VMware.PowerCLI -ErrorAction SilentlyContinue IF($POWERCLI) { Write-Host "VMware PowerCLI Version Found" Write-Host "Upgrading VMware PowerCLI to Current" Remove-Module VMware.PowerCLI -ErrorAction SilentlyContinue Update-Module -Name VMware.PowerCLI -Scope AllUsers -Force }Else{ Write-Host "Installing Newest version of VMware PowerCLI PowerShell Module" Install-Module -Name VMware.PowerCLI -Scope AllUsers -Force } Write-Host "Creating a Desktop shortcut to the VMware PowerCLI Module" $AppLocation = "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $Arguments = '-noe -c "Import-Module VMware.PowerCLI"' $WshShell = New-Object -ComObject WScript.Shell $Shortcut = $WshShell.CreateShortcut("$Home\Desktop\VMware PowerCLI.lnk") $Shortcut.TargetPath = $AppLocation $Shortcut.Arguments = $Arguments $ShortCut.Hotkey = "CTRL+SHIFT+V" $Shortcut.IconLocation = "%SystemRoot%\System32\WindowsPowerShell\v1.0\powershell.exe,1" $Shortcut.Description ="Launch VMware PowerCLI" $Shortcut.WorkingDirectory ="C:\" $Shortcut.Save() Write-Host "Shortcut Created" Write-Host "You may use the CTRL+SHIFT+V method to open VMware PowerCLI" Write-Host "Importing PowerShell Module VMware PowerCLI" Import-Module -Name VMware.PowerCLI Write-Host "PowerShell Module VMware PowerCLI Loaded" $POWERCLIVERSION = get-installedmodule VMware.PowerCLI | Select Name, Version Write-Host "PowerCLI Version is:"($POWERCLIVERSION.Version) Write-Host "-----------------------------------------------------------------------------------------------------------------------" #Clear }
##Setting PowerCLI To Ignore Certificate Issues Write-Host "Setting PowerCli to ignore Certificate issues" Write-Host "This is a known issue to cause OVA imports to fail" Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -Scope AllUsers -Confirm:$false
##VIC Certicate Variables $VICNAME = "HAMVICA01" #Short name for your VICA (not FQDN) $VICIP = "192.168.1.64" #Example 10.27.1.12 $VICNETMASK = "255.255.255.0" #Example 255.255.255.0 $VICGATEWAY = "192.168.1.1" #Example 192.168.1.1 $VICDOMAIN = "hamker.local" $CERTTEMPLATE = "CertificateTemplate:VmwareWebServer" #To List the Certiicate Templates to get the right 1 #certutil -template | Select-String -Pattern TemplatePropCommonName #Example CertificateTemplate:Vmware6.0WebServer $VICNAME = $VICNAME.ToLower() #VICNAME Should be lower case $VICFQDN = "$VICNAME.$VICDOMAIN" $COUNTRY = "US" #2 Letter Country Code $STATE = "KS" #Your State $CITY = "Wichita" #Your City $COMPANY = "Hamker Tech" #Your Company $DEPARTMENT = "IT" #Your Department
#Standard Variables $CERTLOCATION = "C:\Certs" $VICCertLocationGet = Get-Item "$CERTLOCATION\VIC" -ErrorAction SilentlyContinue $VICCertLocation = "$CERTLOCATION\VIC" $VICKEYGET = Get-Item "$VICCertLocation\$VICNAME.key" -ErrorAction SilentlyContinue $VICKEY = "$VICCertLocation\$VICNAME.key" # This is in RSA format $VICKEYPEMGET = Get-Item "$VICCertLocation\$VICNAME-key.pem" -ErrorAction SilentlyContinue $VICKEYPEM = "$VICCertLocation\$VICNAME-key.pem" # This is in PEM format $VICCSRGET = Get-Item "$VICCertLocation\$VICNAME.csr" -ErrorAction SilentlyContinue $VICCSR = "$VICCertLocation\$VICNAME.csr" $VICCERGET = Get-Item "$VICCertLocation\$VICNAME.cer" -ErrorAction SilentlyContinue $VICCER = "$VICCertLocation\$VICNAME.cer" #This is in DER format $VICPEMGET = Get-Item "$VICCertLocation\$VICNAME.pem" -ErrorAction SilentlyContinue $VICPEM = "$VICCertLocation\$VICNAME.pem" # This is in PEM format
#Certificate Customizable Variables $CAFILELOCATION = "C:\certs\CAs\Combined\CombinedCA_HAMCA01-CA-PEM.pem" #Make sure you put your Combined CA PEM file somewhere it can be copied over easily from #Example C:\Certs\CA\Combined\CombinedCA_HAMCA01-CA-PEM.pem $CACERT = "$VICCertLocation\CA.pem" #This must be in PEM format, note this is copied from a network location typically #Example CombinedCA_HAMCA01-CA-PEM.pem $CERTIFICATESERVER = "HAMCA01.hamker.local" #FQDN of the Certificate server you are getting your certs from #Example HAMCA01.hamker.local $OpenSSLLocation = "C:\Program Files\OpenSSL-Win64\bin" #x64 Version
#OVA Deployment Settings $VCSA = "hamvc01.hamker.local" #FQDN of VCSA $OVAPATH = "C:\VMware\VIC\1.5.2\vic-v1.5.2-7206-92ebfaf5.ova" #File Location of VICA OVA File $CLUSTER = "Cluster" #VMware cluster to deploy to $OVADATASTORE = "HAMNAS03_iSCSI" #Datastore to deploy OVA to $OVAPORTGROUP = "(1) Server" #Network Port group to deploy OVA to $VICPERMITROOTLOGIN = "True" #Specifies whether root user can log in using SSH. Default is True $VICAPPLIANCEPORT = "9443" #Port used to access VICA primary interface. Used to connect VCSA to VICA and has links to VICA other sites. Default is 9443 $VICDEFAULTUSERS = "False" #Uncheck to skip creation of Example Users. Default is True $VICUSERPREFIX = "" #Username prefix to be used to create Example Users for vSphere Integrated Containers. Default is vic1 $VICUSERPASSWORD = "" #Password to be used to create Example Users. The password must follow the rules set for vSphere. $VICMGMTPORTALPORT = "8282" #Port to use for VICA Management Portal Access. 443 will redirect to this address. Default is 8282 $VICDNSSERVER1 = "192.168.1.32" $VICDNSSERVER2 = "192.168.1.33" $VICDNSSERVERS = "$VICDNSSERVER1 $VICDNSSERVER2" #The domain name server IP Addresses for this VM (space separated). Leave blank if DHCP is desired. $VICDNSSEARCHPATH = "hamker.local" #The domain search path (space separated domain names) for this VM. Leave blank if DHCP is desired. $VICNTPSERVERS = "192.168.1.32 192.168.1.33" #The NTP server IP Addresses for this VM (space separated). Leave blank if DHCP is desired. $VICHTTPPROXY = "" #The HTTP Proxy setting: http://PROXY_SERVER:PORT or http://USER:PASSWORD@PROXY_SERVER:PORT. Leave blank if no http proxy is required. $VICHTTPSPROXY = "" #The HTTPS Proxy setting: http(s)://PROXY_SERVER:PORT or http(s)://USER:PASSWORD@PROXY_SERVER:PORT. Leave blank if no https proxy is required. $VICNOPROXYLIST = "" #Bypass proxy settings for these hosts and domains (comma separated). Leave blank if no proxy is required. $VICREGISTRYPORT = "443" #Specifies the port on which registry will be published. Default is 443 $VICNOTARYPORT = "4443" #Specifies the port on which Notary will be published.. Default is 4443 $VICGARBAGECOLLECTION = "True" #When setting this to true, registry performs garbage collection everytime it boots up. Default is False
#Standard OVA Deployment Variables $VCSACREDS = Get-Credential -Message "Please specify a VCSA User account with Admin rights to deploy a VM with" $OVAPASSWORD = Read-Host "Please type a Password for the VIC Root account"
##Logging Info #Get Date Info for naming of snapshot variable $LOGDATE = Get-Date -format "MMM-dd-yyyy_HH-mm" #Specify Log File Info $LOGFILENAME = "Log_" + $VICNAME + "_" + $LOGDATE + ".txt" #Create Log Folder $LogFolder = $VICCertLocation+"\Log" If (Test-Path $LogFolder){ Write-Host "Log Directory Created. Continuing..." }Else{ New-Item $LogFolder -type directory } #Specify Log File $LOGFILE = $VICCertLocation+"\Log\"+$LOGFILENAME
##Starting Logging Start-Transcript -path $LOGFILE -Append
###Test if OpenSSL is Installed ##Specify OpenSSL version. If you have a 64-bit OS, use the x64 version. If you have a 32-bit OS, use the x86 version #$OPENSSL = get-item "C:\Program Files (x86)\OpenSSL-Win32\bin\OpenSSL.exe" -ErrorAction SilentlyContinue ##x86 version $OPENSSL = get-item "C:\Program Files\OpenSSL-Win64\bin\OpenSSL.exe" -ErrorAction SilentlyContinue ##x64 version IF(!$OPENSSL) { Write-Warning "OpenSSL is not installed" Write-Warning "Please download and install OpenSSL" Write-Warning "Download similar to version Win64 OpenSSL v1.1.1b Light" Write-Warning "https://slproweb.com/products/Win32OpenSSL.html" Write-Warning "Example downlod would be https://slproweb.com/download/Win64OpenSSL_Light-1_1_1b.msi" write-host "Press any key to continue..." [void][System.Console]::ReadKey($true) #Start-Sleep #EXIT }else{ Write-Host "Verified: OpenSSL has been properly installed" -ForegroundColor Green }
###Verify that OpenSSL is installed IF($OPENSSL) { #CNF Config $CNF = "[ req ] default_md = sha512 default_bits = 2048 default_keyfile = key.key distinguished_name = req_distinguished_name encrypt_key = no prompt = no string_mask = nombstr req_extensions = v3_req
[ v3_req ] basicConstraints = CA:false keyUsage = keyEncipherment, digitalSignature, keyAgreement extendedKeyUsage = serverAuth, clientAuth subjectAltName = @alt_names
[ alt_names ] DNS.1 = $VICFQDN IP.1 = $VICIP
[ req_distinguished_name ] C=$COUNTRY ST=$STATE L=$CITY O=$COMPANY OU=$DEPARTMENT CN=$VICFQDN "
#Open OpenSSL EXE Location Write-Host "-----------------------------------------------------------------------------------------------------------------------" Write-Host (Get-Date -format "MMM-dd-yyyy_HH-mm-ss") Write-Host "Starting Certifacte Creation Process" CD $OpenSSLLocation #Make new VIC Cert Folder for storing all the Cert files IF(!$VICCertLocationGet) { New-Item -Path $VICCertLocation -ItemType "directory" -ErrorAction SilentlyContinue Write-Host (Get-Date -format "MMM-dd-yyyy_HH-mm-ss") }else { Write-Host "VIC Folder already created at" $VICCertLocation -ForegroundColor Green Write-Host (Get-Date -format "MMM-dd-yyyy_HH-mm-ss") } #Make VIC Config file $CFGFILE = New-Item -Path $VICCertLocation -Name "$VICNAME.cfg" -ItemType "file" -Force #$CNF | Out-File -FilePath $CFGFILE #Write contents to Config file from $CNF Variable Set-Content -Path $CFGFILE -Value $CNF $CFGFILEFULLNAME = $cfgfile.fullname IF(!$VICKEYGET) { #Open OpenSSL EXE Location CD $OpenSSLLocation .\openssl genrsa -out $VICKEY 2048 Write-Host (Get-Date -format "MMM-dd-yyyy_HH-mm-ss") }else { Write-Host "Key.key already generated at" $VICKEY -ForegroundColor Green Write-Host (Get-Date -format "MMM-dd-yyyy_HH-mm-ss") } IF(!$VICKEYPEMGET) { Write-Host "VICA-key.pem file does not exist" Write-Host "Generating VICA-key.pem file" #Open OpenSSL EXE Location CD $OpenSSLLocation .\openssl pkcs8 -topk8 -in $VICKEY -outform PEM -nocrypt -out $VICKEYPEM Write-Host (Get-Date -format "MMM-dd-yyyy_HH-mm-ss") }else { Write-Host "Key.pem already generated at" $VICKEYPEM -ForegroundColor Green Write-Host (Get-Date -format "MMM-dd-yyyy_HH-mm-ss") }
IF(!$VICCSRGET) { Write-Host "VICA CSR File Not Found" Write-Host "Generating VICA CSR" #Open OpenSSL EXE Location CD $OpenSSLLocation .\openssl req -config $CFGFILEFULLNAME -new -key $VICKEY -out $VICCSR Write-Host (Get-Date -format "MMM-dd-yyyy_HH-mm-ss") }else { Write-Host "Server.csr already generated at" $VICCSR -ForegroundColor Green Write-Host (Get-Date -format "MMM-dd-yyyy_HH-mm-ss") } $CA = certutil -config $CERTIFICATESERVER -ping $CA = $CA[1] $CA = $CA.Replace("Server "," ") $CA = $CA.SubString(0, $CA.IndexOf('ICertRequest2')) $CA = $CA.Replace('"','') $CA = $CA.Replace(' ','')
#To List the Certiicate Templates to get the right 1 #certutil -template | Select-String -Pattern TemplatePropCommonName #Detailed Example certutil -template | Select-String -Pattern Vmware6.0WebServer #Generate CER IF(!$VICCERGET) { certreq -submit -attrib $CERTTEMPLATE -Kerberos -config $CERTIFICATESERVER\$CA $VICCSR $VICCER Write-Host (Get-Date -format "MMM-dd-yyyy_HH-mm-ss") }else { Write-Host "Server.Cer already generated at" $VICCER -ForegroundColor Green Write-Host (Get-Date -format "MMM-dd-yyyy_HH-mm-ss") } #Convert CER to PEM IF(!$VICPEMGET) { #Open OpenSSL EXE Location CD $OpenSSLLocation .\openssl x509 -in $VICCER -outform PEM -out $VICPEM Write-Host (Get-Date -format "MMM-dd-yyyy_HH-mm-ss") }else { Write-Host "Server.pem already generated at" $VICPEM -ForegroundColor Green Write-Host (Get-Date -format "MMM-dd-yyyy_HH-mm-ss") } #Copy CA Cert to Local Workstation #Place your CA Cert to the VIC folder Write-Host "Copying CA PEM File to VIC Cert folder" Copy-Item $CAFILELOCATION $CACERT -ErrorAction SilentlyContinue Write-Host (Get-Date -format "MMM-dd-yyyy_HH-mm-ss")
Write-Host "VIC Certificate Generation Process Completed" $VICCSR -ForegroundColor Green Write-Host (Get-Date -format "MMM-dd-yyyy_HH-mm-ss") Write-Host "-----------------------------------------------------------------------------------------------------------------------" }
#Generate DNS record for VICA try { $DNSCHK = [System.Net.DNS]::GetHostAddresses($VICNAME) } catch { $DNSEXIST = "false" } IF(!$DNSCHK) { Write-Host "DNS Entry not found for VIC Applaince. Attempting to generate DNS entry" Add-DnsServerResourceRecordA -Name $VICNAME -ZoneName $VICDOMAIN -AllowUpdateAny -IPv4Address $VICIP -ComputerName $VICDNSSERVER1 }Else{ Write-Host "DNS Entry has already been created for VIC Appliance. Continuing..." }
###Create VIC #Starting Write-Host "Starting vCenter VIC Customizations" -ForegroundColor Green
##Disconnect from any open vCenter Sessions #This can cause problems if there are any Write-Host "-----------------------------------------------------------------------------------------------------------------------" Write-Host (Get-Date -format "MMM-dd-yyyy_HH-mm-ss") Write-Host "Disconnecting from any Open vCenter Sessions" TRY {Disconnect-VIServer * -Confirm:$false} CATCH {Write-Host "No Open vCenter Sessions found"} Write-Host (Get-Date -format "MMM-dd-yyyy_HH-mm-ss") Write-Host "-----------------------------------------------------------------------------------------------------------------------"
##Connect to vCenter Server Write-Host "-----------------------------------------------------------------------------------------------------------------------" Write-Host (Get-Date -format "MMM-dd-yyyy_HH-mm-ss") Write-Host "Connecting to vCenter "$VCSA $VCENTER = Connect-VIServer -server $VCSA -Credential $VCSACREDS $VCENTER Write-Host "Connected to vCenter " Write-Host (Get-Date -format "MMM-dd-yyyy_HH-mm-ss") Write-Host "-----------------------------------------------------------------------------------------------------------------------"
##Deploy OVA Write-Host "-----------------------------------------------------------------------------------------------------------------------" Write-Host (Get-Date -format "MMM-dd-yyyy_HH-mm-ss") #Reference: https://pubs.vmware.com/vsphere-6-5/index.jsp?topic=%2Fcom.vmware.powercli.cmdletref.doc%2FGet-OvfConfiguration.html Write-Host "Deploying OVA to"$VCSA" on VMware Host"$VMHOST #Get Configuration info from OVA $OVAConfig = Get-OvfConfiguration -Ovf $OVAPATH $VMHOST = Get-Cluster -Name $CLUSTER | Get-VMHost | Where-Object {$_.ConnectionState -eq "Connected"} | Get-Random $PORTGROUP = Get-VirtualPortGroup -Host $VMHOST -Name $OVAPORTGROUP
#Fill In info for OVA #Appliance $OVAConfig.appliance.root_pwd.value = $OVAPASSWORD $OVAConfig.appliance.permit_root_login.Value = $VICPERMITROOTLOGIN #Default is TRUE Get-Content $VICPEM | foreach{$VICPEMOUT = $VICPEMOUT + $_} $OVAConfig.appliance.tls_cert.Value = $VICPEMOUT #Paste the content of the PEM encoded certificate file. Leave blank for a generated self-signed certificate. Get-Content $VICKEYPEM | foreach{$VICKEYPEMOUT = $VICKEYPEMOUT + $_} $OVAConfig.appliance.tls_cert_key.Value = $VICKEYPEMOUT #Paste the content of the unencrypted PEM encoded certificate key file. Leave blank for a generated key. Get-Content $CACERT | foreach{$CACERTOUT = $CACERTOUT + $_} $OVAConfig.appliance.ca_cert.Value = $CACERTOUT #Paste the content of the PEM encoded CA certificate that signed the TLS Certificate. Leave blank for a generated self-signed certificate. $OVAConfig.appliance.config_port.Value = $VICAPPLIANCEPORT #Default is 9443. Specifies the port on which the Getting Started Page and Appliance Configuration will be published. #Default Users $OVAConfig.default_users.create_def_users.Value = $VICDEFAULTUSERS #Uncheck to skip creation of Example Users. Default is True $OVAConfig.default_users.def_user_prefix.Value = $VICUSERPREFIX #Username prefix to be used to create Example Users for vSphere Integrated Containers. Default is vic $OVAConfig.default_users.def_user_password.Value = $VICUSERPASSWORD #Password to be used to create Example Users. The password must follow the rules set for vSphere. #IP Protocol $OVAConfig.IpAssignment.IpProtocol.Value = "IPv4" #This is the Network Protocol to use. Either IPv4 or IPv6 #Management Portal Port $OVAConfig.management_portal.management_portal_port.Value = $VICMGMTPORTALPORT #Default is 8282. Specifies the port on which Management Portal will be published. #Network $OVAConfig.Network.ip0.Value = $VICIP #VICA IP Address $OVAConfig.Network.netmask0.Value = $VICNETMASK #VICA Network Mask $OVAConfig.Network.gateway.Value = $VICGATEWAY #VICA Network Gateway $OVAConfig.Network.DNS.Value = $VICDNSSERVERS #VICA DNS Servers $OVAConfig.Network.searchpath.Value = $VICDNSSEARCHPATH #VICA DNS Search Path. List the DNS domains you want it to see $OVAConfig.Network.fqdn.Value = $VICFQDN #The fully qualified domain name of this VM. Leave blank if DHCP is desired. $OVAConfig.Network.ntp.Value = $VICNTPSERVERS #VICA NTP Servers. $OVAConfig.Network.http_proxy.Value = $VICHTTPPROXY #VICA HTTP Proxy $OVAConfig.Network.https_proxy.Value = $VICHTTPSPROXY #VICA HTTPS Proxy $OVAConfig.Network.no_proxy_list.Value = $VICNOPROXYLIST #VICA No Proxy List #NetworkMapping $OVAConfig.NetworkMapping.Network.Value = $PORTGROUP #Port Group (I Think, this is not well documented) #Registry $OVAConfig.registry.registry_port.Value = $VICREGISTRYPORT #VICA Registry Port $OVAConfig.registry.notary_port.Value = $VICNOTARYPORT #VICA Notary Port $OVAConfig.registry.gc_enabled.Value = $VICGARBAGECOLLECTION #VICA Garabage Collection True/False
#List OVAConfig Details Write-Host "Listing OVA Config Contents:" Write-Host "Root Password:"#$OVAConfig.appliance.root_pwd.value Write-Host "Permit Root Login:"$OVAConfig.appliance.permit_root_login.Value Write-Host "TLS Cert:"$OVAConfig.appliance.tls_cert.Value Write-Host "TLS Cert Key:"$OVAConfig.appliance.tls_cert_key.Value Write-Host "CA Cert:"$OVAConfig.appliance.ca_cert.Value Write-Host "VIC Appliance Network Port:"$OVAConfig.appliance.config_port.Value Write-Host "Create Default Users:"$OVAConfig.default_users.create_def_users.Value Write-Host "Create Default Users Name:"$OVAConfig.default_users.def_user_prefix.Value Write-Host "Create Default Users Password:"$OVAConfig.default_users.def_user_password.Value Write-Host "VIC Appliance Network Protocol:"$OVAConfig.IpAssignment.IpProtocol.Value Write-Host "VIC Applaince Management Portal Port:"$OVAConfig.management_portal.management_portal_port.Value Write-Host "VIC Appliance IP:"$OVAConfig.Network.ip0.Value Write-Host "VIC Appliance Netmask:"$OVAConfig.Network.netmask0.Value Write-Host "VIC Appliance Gateway:"$OVAConfig.Network.gateway.Value Write-Host "VIC Appliance DNS Servers:"$OVAConfig.Network.DNS.Value Write-Host "VIC Appliance DNS Search Path:"$OVAConfig.Network.searchpath.Value Write-Host "VIC Appliance FQDN:"$OVAConfig.Network.fqdn.Value Write-Host "VIC Appliance NTP Servers:"$OVAConfig.Network.ntp.Value Write-Host "VIC Appliance HTTP Proxy:"$OVAConfig.Network.http_proxy.Value Write-Host "VIC Appliance HTTPS Proxy:"$OVAConfig.Network.https_proxy.Value Write-Host "VIC Appliance No Proxy List:"$OVAConfig.Network.no_proxy_list.Value Write-Host "VIC Appliance Portgroup:"$OVAConfig.NetworkMapping.Network.Value Write-Host "VIC Appliance Registry Port:"$OVAConfig.registry.registry_port.Value Write-Host "VIC Appliance Notary Port:"$OVAConfig.registry.notary_port.Value Write-Host "VIC Appliance Garbage Collection:"$OVAConfig.registry.gc_enabled.Value Write-Host (Get-Date -format "MMM-dd-yyyy_HH-mm-ss") Write-Host "-----------------------------------------------------------------------------------------------------------------------"
#Deploy Write-Host "-----------------------------------------------------------------------------------------------------------------------" Write-Host "Deploying vSphere Integrated Containers Applaince..." -foregroundcolor "yellow" Write-Host (Get-Date -format "MMM-dd-yyyy_HH-mm-ss") $VICVM = Import-VApp -Source $OVAPATH -OvfConfiguration $OVAConfig -Name $VICNAME.toUpper() -VMHost $VMHOST -Datastore $OVADATASTORE -DiskStorageFormat "Thick" Write-Host (Get-Date -format "MMM-dd-yyyy_HH-mm-ss") Write-Host "OVA Deployment Completed" Write-Host "-----------------------------------------------------------------------------------------------------------------------"
##Upgrade Hardware Version to Current prior to first poweron Write-Host "-----------------------------------------------------------------------------------------------------------------------" Write-Host (Get-Date -format "MMM-dd-yyyy_HH-mm-ss") Write-Host "Upgrading Virtual Hardware to Current Version" $VMHOSTDETAILS = Get-VMHost $VMHOST $VMHOSTVERSION = $VMHOSTDETAILS.VERSION IF($VMHOSTVERSION -eq "6.7.0") { Write-Host "VMHost "$VMHOST" is running ESXi 6.7.0" $VMEXPECTEDVERSION = "v14" $VMVERSION = Get-VM $VICNAME | Select Version $VMVERSION = $VMVERSION.Version IF($VMEXPECTEDVERSION -notmatch $VMVERSION) { Write-Host "Upgrading VM "$VICNAME" to match VMHost ESXi version" Set-VM -VM (Get-VM -Name $VICNAME) -Version v14 -Confirm:$false }ELSE{ Write-Host "VM is presently at Current Hardware Version for VMHost "$VMHOST } } IF($VMHOSTVERSION -eq "6.5.0") { Write-Host "VMHost "$VMHOST" is running ESXi 6.5.0" $VMEXPECTEDVERSION = "v13" $VMVERSION = Get-VM $VICNAME | Select Version $VMVERSION = $VMVERSION.Version IF($VMEXPECTEDVERSION -notmatch $VMVERSION) { Write-Host "Upgrading VM "$VICNAME" to match VMHost ESXi version" Set-VM -VM (Get-VM -Name $VICNAME) -Version v13 -Confirm:$false }ELSE{ Write-Host "VM is presently at Current Hardware Version for VMHost "$VMHOST } } IF($VMHOSTVERSION -eq "6.0.0") { Write-Host "VMHost "$VMHOST" is running ESXi 6.0.0" $VMEXPECTEDVERSION = "v11" $VMVERSION = Get-VM $VICNAME | Select Version $VMVERSION = $VMVERSION.Version IF($VMEXPECTEDVERSION -notmatch $VMVERSION) { Write-Host "Upgrading VM "$VICNAME" to match VMHost ESXi version" Set-VM -VM (Get-VM -Name $VICNAME) -Version v11 -Confirm:$false }ELSE{ Write-Host "VM is presently at Current Hardware Version for VMHost "$VMHOST } } Write-Host "Upgrading Virtual Hardware to Current Version Completed" Write-Host (Get-Date -format "MMM-dd-yyyy_HH-mm-ss") Write-Host "-----------------------------------------------------------------------------------------------------------------------"
#Start vSphere Integrated Containers Appliance Write-Host "-----------------------------------------------------------------------------------------------------------------------" Write-Host (Get-Date -format "MMM-dd-yyyy_HH-mm-ss") Write-Host "Starting $VICNAME" -foregroundcolor "yellow" Start-VM -VM $VICVM | Out-Null Write-Host (Get-Date -format "MMM-dd-yyyy_HH-mm-ss") Write-Host "-----------------------------------------------------------------------------------------------------------------------"
#Notify User of Completion Write-Host "-----------------------------------------------------------------------------------------------------------------------" Write-Host (Get-Date -format "MMM-dd-yyyy_HH-mm-ss") Write-Host "vSphere Integrated Containers Appliance Deployment Completed" Write-Host (Get-Date -format "MMM-dd-yyyy_HH-mm-ss") Write-Host "-----------------------------------------------------------------------------------------------------------------------"
#Open VIC VM Console Write-Host "-----------------------------------------------------------------------------------------------------------------------" Write-Host (Get-Date -format "MMM-dd-yyyy_HH-mm-ss") #Checking if VMRC is Installed Write-Host "Checking if VMRC is Installed" $VMRC = get-item "C:\Program Files (x86)\VMware\VMware Remote Console\vmrc.exe" -ErrorAction SilentlyContinue IF($VMRC) { Write-Host "Opening Console of vSphere Integrated Containers Appliance"$VICNAME Open-VMConsoleWindow -VM $VICNAME }Else{ Write-Warning "VMware Remote Console Application is not installed." Write-Warning "Skipping opening VMRC to"$VICNAME } Write-Host (Get-Date -format "MMM-dd-yyyy_HH-mm-ss") Write-Host "-----------------------------------------------------------------------------------------------------------------------"
#Open VIC Web Interface Write-Host "-----------------------------------------------------------------------------------------------------------------------" Write-Host (Get-Date -format "MMM-dd-yyyy_HH-mm-ss") $URL = "http://$VICFQDN" Start-Process -FilePath $URL Write-Host (Get-Date -format "MMM-dd-yyyy_HH-mm-ss") Write-Host "-----------------------------------------------------------------------------------------------------------------------"
##Disconnect from vCenter Write-Host "-----------------------------------------------------------------------------------------------------------------------" Write-Host (Get-Date -format "MMM-dd-yyyy_HH-mm-ss") Write-Host "Disconnecting from vCenter" disconnect-viserver $VCENTER -confirm:$false Write-Host (Get-Date -format "MMM-dd-yyyy_HH-mm-ss") Write-Host "-----------------------------------------------------------------------------------------------------------------------"
##Stopping Logging #Note: Must stop transcriptting prior to sending email report with attached log file Write-Host "-----------------------------------------------------------------------------------------------------------------------" Write-Host (Get-Date -format "MMM-dd-yyyy_HH-mm-ss") Write-Host "All Processes Completed" Write-Host "Stopping Transcript" Write-Host (Get-Date -format "MMM-dd-yyyy_HH-mm-ss") Write-Host "-----------------------------------------------------------------------------------------------------------------------" Stop-Transcript
Write-Host "This script has completed its tasks"
Option B: Generate the Certificates Manually and Deploy the VIC
Open the C:\Program Files\OpenSSL-Win64\bin in Windows Explorer
Run the below PowerShell commands to generate the necessary key/pem, csr, cer/pem files
$VICNAME = “hamvica01.hamker.local”
$VICEXE = “C:\Program Files\OpenSSL-Win64\bin\openssl.exe”
Mkdir C:\Certs\$VICNAME
Notepad C:\Certs\$VICNAME\vic-openssl.cfg
Create a text file called in the VIC folder created above. Name should be vic-openssl.cfg
Open vic-openssl.cfg with Notepad++
Paste the below into the Notepad++. Please note the highlighted area will need to be updated with your information. In this example, we will be spinning up a VICA server with the FQDN/IP hamvica01.hamker.local/192.168.1.64.
[ req ]
default_md = sha512
default_bits = 2048
default_keyfile = server.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req
[ v3_req ]
basicConstraints = CA:false
keyUsage = keyEncipherment, digitalSignature, keyAgreement, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = @alt_names
[ alt_names ]
DNS.1 = hamvica01.hamker.local
IP.1 = 192.168.1.64
[ req_distinguished_name ]
C=US
ST=Kansas
L=Wichita
O=Hamker Tech
OU=IT
CN=hamvica01.hamker.local
Save the above contents to the vic-openssl.cfg file.
Open PowerShell as administrator
Place vic-openssl.cfg in this new folder
Place the below contents into the PowerShell Window
cd “C:\Program Files\OpenSSL-Win64\bin”
.\openssl genrsa -out C:\Certs\$VICNAME\server.key 2048
.\openssl pkcs8 -topk8 -in C:\Certs\$VICNAME\server.key -outform PEM -nocrypt -out C:\Certs\$VICNAME\key.pem
.\openssl req -config C:\Certs\$VICNAME\vic-openssl.cfg -new -key C:\Certs\$VICNAME\server.key -out C:\Certs\$VICNAME\server.csr
(References: https://www.openssl.org/docs/man1.0.2/man1/openssl-pkcs8.htmlhttps://vmware.github.io/vic-product/assets/files/html/1.3/vic_vsphere_admin/vic_cert_reference.html )
Minimize PowerShell, do not close it as it will be used more later in this process.
Open Internet Explorer and browse to your Windows CA. https://YourCA.FQDN.Here/certsrv in this example
Specify your domain credentials if requested
Click on Request a Certificate
Click on advanced certificate request
Select Certificate Template VMware 6.x Web Server (if this is not present please make a copy of the Web Server Certificate Template, call it VMware 6.x Web Server with the following configuration listed at the beginning of this article)
Click on Submit
Download the Certificate file in DER encoded format
Save the DER certificate file as name: certnew-DER.cer. Store this in the same folder as the VIC CSR/Key files
Download the Certificate file in Base64 encoded format
Save the Base64 certifcate file as name: certnew-base64.cer. Store this in the same folder as the VIC CSR/Key files
Maximize PowerShell
Run below command to convert the certnew-DER.cer file to PEM formatting:
.\openssl x509 -inform DER -in C:\Certs\$VICNAME\certnew-DER.cer -out C:\Certs\$VICNAME\vic.pem
Option B - Deploy the vSphere Intergrated Container Appliance (VICA) Manually
Use the FLEX interface to deploy with only. HTML5 has known issues still. (reference: https://vmware.github.io/vic-product/assets/files/html/1.5/vic_vsphere_admin/ts_reg_doesnt_start.html ) I will mention that we had issues with deploying using the HTML5 interface and was required to remove the extension via MOB, reboot the VCSA, and then redeploy using the FLEX interface to allow admiral to function.
Go to Hosts and Clusters if not already there after logging in
Right Click the Cluster you wish to deploy the VIC Appliance to, and click on Deploy OVF Template
Select the VIC OVA downloaded previously
Hit Next
Type in the Name of the VM, and then select the VM folder you wish to put it in, and then Click Next
Select the Cluster or Host you wish to deploy the VIC Appliance to and Click Next
Review the details and Click Next
Read the License Agreement
Check “I accept all license agreements” and Click on Next
Specify your Virtual Disk Format, Select the Datastore you wish to place the VIC Appliance on, and Click on Next
Select your Network and Hit Next. Please note this network is the network the VICA will use to communicate with vCenter and the Hosts running the Virtual Host Containers (VHCs), so it needs to be a routed network.
Specify the below exactly as you can. Please note in my sandbox I had issues with having the Permit Root Login using SSH checked. I was required to use the vCenter flash interface to get this to deploy with this checked.
Root Password
Permit Root Login (check to allow)
Appliance TLS Certificate. Note, this must be in PEM format. Paste the contents of the vica.pem file to this area (spaces and multiple lines is what causes the HTML5 client to fail)
Certificate Authority Certificate in PEM format. Paste the contents of either the CAName.pem or CAName-fullchain.pem to this area
Appliance Configuration Port. Specify the port you wish to use to access the management interface of this VM. This is used to connect the vCenter/VCSA to your VIC Appliance. Default is 9443. We choose to leave this be.
Network IP Address. If you choose to do a static IP, place that information here or leave it blank for DHCP. This IP should match what you placed in the openssl.cfg file you made if you are using a custom certificate.
Network Mask. Leave blank for DHCP.
Default Gateway. Leave blank for DHCP.
Domain Servers. Leave blank for DHCP. Place spaces between each IP address for multiple DNS servers.
Domain Search Path. Leave blank for DHCP. Specify the domain this VM is to be on.
FQDN. Leave blank for DHCP. Specify the Fully Qualified Domain Name of this VM. This is the information you specified in the openssl.cfg file you made if you are using a custom certificate.
Registry Port. Default is 8282. This should not be changed unless needed.
Notary Port. Default is 4443. This should not be changed unless needed.
Garbage Collection. This is not checked by default. You should turn it on.
Management Portal Port. Default is 8282. This should not be changed unless needed.
Create Example Users. Default is checked. Uncheck to skip user creation. (Instead use vCenter SSO)
Username Prefix for Example Users. Default is vic.
Password for Example Users. Specify a password if the box is checked in 5.1.
Review your inputs and Click on Next
Verify all the Settings are correct and hit Finish to start Deployment.
Upgrade the VMs Compatibility to your hosts version
Power on the VICA Virtual Machine
Step 5 - Verify VICA Deployment
Wait for the VM to Deploy. After the VM is deployed, if it is deployed in an off state, upgrade the hardware version to match your VMware ESXI version.
Power On the VICA VM.
Open the Console to the VICA VM and watch it boot up. If you did not do the certificates correctly, the TLS certificate SHA-1 fingerprint will be unavailable and you will need to redeploy. If it looks similar to below, showing the fingerprint, you created your certificate correctly.
Open a web browser and go to the http://ip or dns name of the VM. You will be required to wait for the VIC
After it has initialized you will find the below interface. If this interface does not come up after about 5 minutes, you will likely be required to redeploy the VIC Appliance. We recommend IP address for vCenter so that DNS lookups do not have to happen.
Verify that the Certificate is Valid.
Step 6 - Connect the VIC Appliance to your VCSA
You will need to next connect your VIC appliance to your vCenter instance. This will require you use the administrator@vsphere.local account.
Open the HTTPS interface to your VIC appliance if it is not already opened. Use the DNS name if at all possible. https://fqdn:9443
If you have an embedded PSC, fill in the fields like below. If you have an external PSC, change the PSC Instance information to that DNS name.
Click on Continue. The process to connect the VIC appliance to the vCenter/VCSA can take a few minutes to complete. This will also install the vSphere Integrated Containers Plugin on your vCenter.
If all goes well, you will see this at the top of the screen after.
Open the HTML5 VCSA interface and verify that you can see the new vSphere Integrated Containers option shows in the menu.
This completes basic VICA standup.
Read Part 2 to configure your VMware cluster and deploy your first Virtual Container Host (vCH).