VMware vCloud Director – vCloud Director Install – Part 3

VMware vCloud Director vCloud Director Install

In Part 3 of the vCloud Director Lab series we now look at installing the first vCloud Director cell.

My vCloud Director Cell 1, is a virtual machine with the following specs:

• Hostname: vcloud6director1.vmlab.local
• O.S: CentOS 6.5 (64-bit)
• CPU: 2 vCPU
• RAM: 4GB
• HDD: 40GB
• IP: 192.168.1.170/24 (Used for HTTP)
• IP: 192.168.1.171/24 (Used for Proxy Console)
• IP: 192.168.2.170/24 (Used for NFS Storage)

Before we even look at installing vCloud Director, we will need to prepare the operating system with a few pre-requisites.

The following add-ons need to be installed:

I have included this line for you to copy and paste so that you don’t need to type the whole thing out:

# yum install alsa-lib bash chkconfig coreutils findutils glibc grep initscripts krb5-libs libgcc libICE libSM libstdc libX11 libXau libXdmcp libXext libXi libXt libXtst module-init-tools net-tools pciutils procps redhat-lsb sed tar which

Once all these modules have been installed, you can then run # yum update to install all the latest operating system updates

When setting up multiple vCloud Director Cells, we are going to need to setup a vCloud Director Transfer Server Storage NFS volume. In my home lab I use a Synology NAS which includes NFS, however if you don’t have a NAS within your lab, you can utilize something like FreeNAS for NFS storage. Within my Synology I have created a volume called vcloud6-transfer-storage and have allowed full NFS access for the IP address 192.168.2.170 (the vCloud Director NFS Storage IP). If you are not planning on setting up multiple vCloud Director Cells you can skip this step as the server will use it’s local disk for transfer server storage.

vCloud Director relies on SSL certificates. In this lab we are going to concentrate on creating a CSR, submitting the request to a CA, and installing the certificate. I will also write the option down to quickly generate a self-signed certificate. Within this lab I will be utilizing the Microsoft Certificate Authority which is installed on my Windows 2012 Active Directory Server called vmad1.vmlab.local – 192.168.1.101

Lastly we need to have forward and reverse DNS entries for our vCloud Director HTTP and ConsoleProxy service. I have added the following host entries into my Active Directory DNS server:

192.168.1.170 – vcloud6director1.vmlab.local (forward and PTR record)
192.168.1.171 – vcloud6director1proxy.vmlab.local (forward and PTR record)

Before starting on the steps below, we are going to be working with 2 SSH windows connected to the vCloud Director Server. One will be running the installation and the second we will be doing side steps. I will refer to these two windows as SSH window 1 and SSH window 2.

Installing VMware vCloud Director

1. Before we can begin the installation we need to SCP (use WinSCP) the vCloud Director image from your PC up to the server, I placed my image in the /TMP directory.

Once the image has been uploaded we will need to give the image eXecute permissions and we can do this by typing:

# chmod +x vmware-vcloud-director-8.0.0-3017494.bin

Now that the image has execute permissions applied we can launch it by typing:

# ./vmware-vcloud-director-8.0.0-3017494.bin

2. If we are planning on setting up multiple vCloud Director cells we are going to need to mount the NFS storage to this server. Let’s jump over to SSH window 2.

We will change the directory to /opt/vmware/vcloud-director/data/transfer (This is going to be the mount point for our NFS storage)

# cd /opt/vmware/vcloud-director/data/transfer

My mount point for the transfer storage NFS volume is /volume1/vcloud6-transfer-storage. To mount it to this server type:

# mount -t nfs 192.168.2.5:/volume1/vcloud6-transfer-storage /opt/vmware/vcloud-director/data/transfer

I want this mount point to be available each time the server reboots, to do this we need to modify the /etc/fstab file

# vi /etc/fstab

3. Within VI press i which places you into insert mode. Move the cursor to the last line and type:

192.168.2.170:/volume1/vcloud6-transfer-storage /opt/vmware/vcloud-director/data/transfer nfs rw 0 0

Press the ESC key to exit from insert mode. If you have made a mistake anywhere you can either move the cursor to the where the mistake is and press x This will delete 1 character at a time.

To save the changes we type :wq! (This will write and then quite). If you wish to exit without saving changes you can type :q!

4. If we list our storage by typing # df -h we can see that our NFS storage is mounted to the mount point /opt/vmware/vcloud-director/data/transfer

Next go ahead and change the permissions for /opt/vmware/vcloud-director/data/transfer directory by following this article

5. Let’s return to SSH window 1 and continue with the installation. Press y to run the script. Select your HTTP and console proxy IP address. Stop when the prompt to enter private keys: appear

6. I will now jump over to SSH window 2. There are 2 ways to setup certificates with vCloud Director, a. use a self-signed certificate, b. create a CSR and submit the request to a Certificate Authority Server.

a. Self Signed

# /opt/vmware/vcloud-director/jre/bin/keytool -keystore certificates.ks  -storetype JCEKS -storepass password -genkey -keyalg RSA -alias http (replace password with the password you wish to use). Enter in all your information, Organization, State, Country, etc

# /opt/vmware/vcloud-director/jre/bin/keytool -keystore certificates.ks  -storetype JCEKS -storepass password -genkey -keyalg RSA -alias consoleproxy (replace password with the password you wish to use). Enter in all your information, Organization, State, Country, etc

You certificates file will be located at this path /opt/vmware/vcloud-director/jre/bin/keytool/certificates.ks

b. Generating a CSR and submitting the request to a Certificate Authority

# cd /opt/vmware/vcloud-director/jre/bin

# ./keytool -keystore certificates.ks -storetype JCEKS -storepass storecertpass -genkey -keyalg RSA -keysize 2048 -alias http (replace storecertpass with a password you wish to use). Fill in all the information.

# ./keytool -keystore certificates.ks -storetype JCEKS -storepass storecertpass -genkey -keyalg RSA -keysize 2048 -alias consoleproxy (replace storecertpass with a password you wish to use). Fill in all the information

7. We will now generate the CSR file for both http and consoleproxy

# ./keytool -keystore /opt/vmware/vcloud-director/jre/bin/certificates.ks -storetype JCEKS -storepass storecertpass -certreq -alias http -file http.csr -keysize 2048 -validity 1095 (Feel free to change the validity, which is in days, also be sure to use the storepass you selected in step 6)

# ./keytool -keystore /opt/vmware/vcloud-director/jre/bin/certificates.ks -storetype JCEKS -storepass storecertpass -certreq -alias consoleproxy -file consoleproxy.csr -keysize 2048 -validity 1095 (Feel free to change the validity, which is in days, also be sure to use the storepass you selected in step 6)

8. I’m going to use WinSCP to download the http.csr and consoleproxy.csr files from the vCloud Director server to my Windows server

9. My Windows Server 2012 that contains the Certificate Authority server is call VMAD1. I’ll open up a web browser and type in the url:

http://vmad1/certsrv

This will bring me to the Certificate Services web page, where I will click on Request a certificate

10. Select advanced certificate request

11. Select Create and submit a request to this CA

12. Use Notepad to open up your http.csr file. Copy everything in this file including the —BEGIN NEW CERTIFICATE REQUEST — and —END NEW CERTIFICATE REQUEST —

13. Copy the contents into the Saved Requests: window, and under Certificate Template select Web Server. Click Submit

14. Select DER encoded followed by clicking on Download certificate

15. As you can see in the screen shot below, I have downloaded the certificate for http.cerr, I then went and repeated this process to download the consoleproxy.cer file

16. I’ll go back to my WinSCP program and use it to upload the http.cer and consoleproxy.cer file to my vCloud Director server. In this example I have uploaded it to /opt/vmware/vcloud-director/jre/bin

17. Next step is to download the Windows Certificate Authority root certificate. To do this I go my Windows Server – open Certification Authority – expand Certification Authority (Local) – right click on your server, in my case this is displayed as vmlab-VMAD1-CA, and select properties – in the general tab, click on view certificate – click on the details tab – click copy to file – use the wizard to export the file as a DER – select a location and file name to store the certificate, I used root.cer.

Use WinSCP to upload the root.cer file to the vCloud Director server, I placed my into the same location as the http.cer and consoleproxy.cer, /opt/vmware/vcloud-director/jre/bin

Once the file is uploaded we will return to SSH window 2 and install the root certificate by typing:

# ./keytool -alias root -storetype JCEKS -storepass storecertpass -keystore certificates.ks -importcert -file root.cer (replace the storepass with your password)

18. Type yes to trust this certificate

19. After all these steps, we now install the http and consoleproxy certificates:

# ./keytool -storetype JCEKS -storepass storecertpass -keystore certificates.ks -importcert -alias http -file http.cer (replace the storepass with your password)

# ./keytool -storetype JCEKS -storepass storecertpass -keystore certificates.ks -importcert -alias consoleproxy -file consoleproxy.cer (replace the storepass with your password)

We can now verify we have all the certificates installed correctly by querying the certificates.ks file:

# ./keytool -storetype JCEKS -storepass storecertpass -keystore certificates.ks -list (replace the storepass with your password)

You should see a similar screen shot to the one below:

20. We’ll switch back to SSH window 1 and continue with the vCloud Director install. Where it asks for private keys, you can now enter the path to your certificates.ks file:

private keys: /opt/vmware/vcloud-director/jre/bin/certificates.ks

21. Next I’ll be setting up the connection to the vcloud database within Microsoft SQL. I select option 2 for Microsoft SQL Server, enter in my database name vcloud6 and lastly enter my username (vcloud6db) and password that has full access to the vcloud6 database. The wizard will then display that the vCloud Director configuration is now complete and it will ask if you wish to start the service now, select yes.

22. At completion of the installation, vCloud Director creates a responses.properties file located in /opt/vmware/vcloud-director/etc This file is needed to install additional vCloud Director cells and ensures that each cell is configured with the same database configuration. It is recommended to copy this file off the server (you can use WinSCP) and store it in a safe place. If you are curious and would like to see what the responses.properties file contains, you can simply type # cat responses.properties

23. By default the iptables firewall is turned on, for my lab I will be turning it off by typing # service iptables stop, however if you wish to allow port 80 and port 443 you can simply type:

# iptables -A INPUT -p tcp -m tcp – -dport 80 -j ACCEPT (Allows port 80)
# iptables -A INPUT -p tcp -m tcp – -dport 443 -j ACCEPT (Allows port 443)
# iptables-save (Saves the configuration)
# service iptables restart (Restarts the service)

NOTE: if your rules don’t sit exactly where you like, i.e. if the allow rule for HTTPS is below a deny rule please follow these instructions:

# iptables-save > /tmp/iptables.log
# vi /tmp/iptables.log (Change the rules to the order you like)
# iptables-restore < /tmp/iptables.log
# service iptables save
# service iptables restart (Restarts the service)

24. Open up a web browser and type in the URL for your vCloud Director: https://vcloud6director1.vmlab.local You are presented with the welcome screen, click Next

25. Accept the License Agreement

26. Enter your vCloud Director license key

27. Create a user account and enter in the full name and email address of that user

28. Enter in a System Name and Installation ID. The installtion ID needs to be unique amongst vCloud Director clusters due to the way it allocates MAC addresses to the VM’s. The installation ID is used within one octet of the MAC address.

29. The last screen displays a summary of your settings. If you wish to make any change click the Back button, otherwise click Finish

30. We can now login to our vCloud Director cell by typing in the username and password we set in step 27

31. Once we’ve logged, we are presented with the Home screen and Quick Start steps. From here DO NOT add your vCenter server yet. Next we are going to be installing and configuring VMware NSX

Disclaimer:
All the tutorials included on this site are performed in a lab environment to simulate a real world production scenario. As everything is done to provide the most accurate steps to date, we take no responsibility if you implement any of these steps in a production environment.