Tag Archives: ssl

VMware STS Clients Failed SSL Certificate of STS Service Cannot Be Verified

“Initialization of STS Clients failed. Root Cause: The SSL certificate of STS service cannot be verified” is an error which put a delay in deployment of the vShield Manager.

VMware STS Clients Failed Error

During the configuration of the Lookup Service Information, we encountered this particular error. It important to understand how the environment was designed when we hit this error and why it didn’t seem to make sense at first .

There are two sites, Site A and Site B, in a hybrid vCenter 5.1 configuration running vCenter 5.5 Single Sign-On and Web Client on their own dedicated virtual machines, SSO1 and SSO2. vCenter 5.5 Single Sign-On and the Web Client both reside on the same server, one in each site. There are a total of 5 vCenter Servers that are at 5.1 U1/U2 versions. Each vCenter is pointed at their corresponding site/geographic regions’ vCenter 5.5 Single Sign-On and Web Client server.

VMware Single Sign-On SSO Architecture

This model is fully supported by VMware per KB2059249 and has proven to be an ideal deployment model in the vCenter 5.1 product family than the initial release of Single Sign-On 5.1.

The vShield Manager was deployed at Site B and we used Site B’s SSO and Web Server address when configuring the Lookup Service. After research, internet forums indicated that the certificate of the SSO server, chain and root certificates needed to be bundled into a single certificate and installed on the STS server. This did not make sense since no certificates were manually generated for use by the SSO servers. All SSO certificates were generated during installation and we’re self signed by the VMware SSO installer.

VMware STS Clients Failed Error

While working with a co-worker to troubleshoot the issue above, it occurred to me to list all services that the SSO server see’s to determine what STS service that the SSO server was using. After issuing the following command on the SSO server:

ssolscli listServices https://cgvccore2.fqdn:7444/lookupservice/sdk


VMware STS Clients Failed Error Proof

The urn:sso:sts service was listed with Site A’s registered URL! It completely slipped my mind that there was only one STS server listed in any SSO instance. We updated the Lookup Service Information Host URL and the “Initialization of STS Clients failed. Root Cause: The SSL certificate of STS service cannot be verified” issue was resolved!

VMware STS Clients Failed Error Resolved

Note: This is single point of failure, it would be best to load balance the STS service. There are articles to update where the STS service is pointing to the event of a failure if a load balance model is not implemented initially.

Tagged , , , , , ,

Setup Windows Up.time Monitoring SSL Agent

This guide will show you how to install and configure an Up.time Agent for Windows using SSL. Up.time provides a guide which give a good outline of the steps required to get an Up.time agent configured in Windows using SSL but I think many will find this information very useful since it will automate installations using a batch file and will determine the architecture of Windows then places the files/registry keys in the correct location based on the processor architecture.

First, a certificate must be generated for the Up.time agent to use. OpenSSL tools will be required to generate the appropriate certificate. To generate the certificate, issue the following command from the bin directory of the OpenSSL installation.

openssl req -x509 -nodes -days 3650 -subj '/C=US/ST=Ohio/L=Cleveland/O=My Company/OU=My Department/CN=uptime-agent' -newkey rsa:1024 -keyout uptime_agent.pem -out uptime_agent.pem

Stunnel is the piece of software that wraps around the Up.time agent port and encrypts the traffic since the Up.time agent is not natively using SSL. Stunnel is an open-source project and can be downloaded at www.stunnel.org.

Download Stunnel and extract it to a directory. Place the newly generate certificate in the directory. Overwrite the downloaded stunnel.conf with the stunnel.conf that is listed below. Modify the up.time-stunnel-agent.bat script to the correct UNC/SMB/SAMBA paths and save the file.

Finally, place the remaining files into the directory structure. Follow the directory structure below
Uptime Agent SSL Directory View Screenshot

Don’t forget to goto the Up.time Software website to get the .exe version of the Windows Up.time Agent.

NOTE: If you wish to change the port numbers that is in hexadecimal in the UptimeCMDPassword_x86.reg and UptimeCMDPassword_x64.reg files and must be changed in the stunnel.conf file.

The rest should explain it self. If you have any questions, post a comment and I will try to help you the best that I can.

Continue reading

Tagged , , , , , ,