vCAC 5.2/6.0 Certificate checking - Error "The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel"

During a recent challenging installation I had a situation where I needed to front both the vCAC web servers with a customer generated verified certificate, and keep the rest of the certificates a Self sighed.

This was simple in theory, just replace the certificates on the web servers.

We generated certificate requests from both web servers and submitted them to the CA.  Once I had the certificates they were installed on the vCAC Web servers and I changed the bindings in IIS for 443.  I then placed both the new certs on the MGMT servers and restarted the services.  The MGMT service failed to start and then gave the following error

"The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel"  

I then looked in some of the vCAC documentation and found that I needed the following.

1. The intermediate CA

2. Domain certificate

Placed these on all the machines via group policy and then tried to start the service again.  Still the MGMT service failed.

I then investigated some of the vCAC code as I thought there must be something going on that was not apparent.  I found that all the components try to check sighed certs against the issuing CA authority root.  This is not documented clearly (if at all) so it was a bit of a find.  I then looked at how to over come this.  Some of you who have installed vCAC many times will recall there is an option to "Suppress certificate mismatch" when you install some of the site components.  

This setting stops the full chain check of each service.  But there is no option for this when installing many of the components.  So this is how you add it to the code.

Find the  "ManagerService.exe.config" file located in "/Program Files (x86)/VMware/vCAC/Server" right click and edit the file.  Go to the bottom of the file and just before "</Configuration>" tag insert the following code.

"<system.net>
            <settings>
            <servicePointManager checkCertificateName="false" checkCertificateRevocationList="false"/>
            </settings>

 </system.net>"

This will tell the service not to check the cert chain and will allow it to start.  You will also need to add this to the CONFIG files for all the other services such as the DEM's and the designer.  Same file and insert the same code in the same place. 

Placing all vCAC 5.2 web components and REPO404 error

Hi all

I know vCAC 5.2 is the previous version now with vCAC 6.0 being released.  However there are still a large number of vCAC 5.2 projects running.  Including the one I am working on at the moment.

I had a problem where the initial install was done by some colleagues  and I continued with the installation building out the vCAC web layer to a 2 node load balanced construct.  The install completed by my colleagues  was following my design.  I had placed the vCAC Manager Server role and the vCAC Model Manager Web services role on separate machines.  My reasoning around this was based on the security requirements of the customer.

The installation was functioning well until we came to build the second web server.  We had some major problems with all the portals.  We lost both the vCAC admin portal and the vCAC Self Service Portal and got REPO404 errors when trying to access them.

I looked over the logs of the vCAC web servers and could see loads of SSL errors.  So I check the certificates on all the servers and all of them were correct.

After some discussions internally I decided to place the Model manager web service on the web servers with the other website components.  We installed vCAC from the start and found this removed the error.

I think the problem was a combination of the SSL and communication URL that the model manager was using was being replaced with a new one when the second Admin portal service was installed.  This then conflicted with URLs and certs in the Manager service and maybe in the repository.  We could have over come this with a load balancer, but at the time we didn't have this available. 

Hope this helps if you see the REPO 404 error as there isn't much documented about it. 

Using Network Profiles in vCAC 5.2

Hi All

Another quick thing I thought I would blog during an install I am doing.  The customer is building from my design and came over to me and asked "Where is the Network Profiles option"  After going over and seeing what they were asking it became apparent that they were unaware of the obscure place this is enabled. 

Go to vCAC Administrator > Customization and then tick the box for "Enable Static IP service" Click OK and this will enable the Network Profiles option along the side bar.

Thanks
Phil

Installing ESXi via USB drive

Being mainly an architect or a design lead on many projects I am finding I don't tend  to get too involved with installs as much as I would like.  But when rebuilding my lab I found a good USB boot device tool.

Universal USB installer

Select the Other Linux Distro.  This will then let you select the ESXi install and then your USB. 

Very good tool and works a treat.