I’ve been meaning to blog about this topic for about a week but haven’t had a chance to get around to it. Recently I seem to have been involved in many customer SRs concerning registering the VASA Provider for Symmetrix. All of them have the same problem – unable to register the provider – though the cause is not always the same. I’m going to cover the most common cause which fortunately has the easiest solution.
Let’s start with a quick reminder of what VASA is: vSphere Storage API for Storage Awareness or VASA is a set of VMware APIs that permits storage arrays to integrate with vCenter for management functionality. Basically what this means is that when you register a VASA Provider in vCenter, the storage vendor provides a set of storage capabilities that it uses to classify the devices presented to the VMware environment. For example here is a list from my VMAX 10K environment:
These storage capabilities can then be used when creating a VM Storage Profile – a VMware administrator might create a profile that is strictly for SAS thin datastores. When a VMware user creates a VM and chooses the profile, only those datastores that satisfy the profile are shown as compatible:
This insight allows vSphere administrators or users to make quick, intelligent, and informed decisions as to virtual machine placement. I’ll include a link at the bottom to our whitepaper on VASA which has all the detail around using the capability, but back to the purpose of the blog – registration problems.
EMC implements VASA through the SMI-S Provider. The EMC SMI-S Provider can be installed on many different operating systems and is also available through the Solutions Enabler vApp which is the easiest implementation. Once installed, the vApp or the host environment requires access to gatekeepers which are small devices presented from the Symmetrix array(s) used in the VMware environment. The gatekeepers allow communication with the array. Again, the WP below includes installation instructions. After the installation is complete, the VASA Provider needs to be registered through the vCenter. This is done in the Storage Providers page through a dialog box:
Now here is where we have been seeing the problems. Opening clicking on OK, an initial box will appear asking you to trust the host:
Once you select ‘Yes’, provider registration will either succeed or it will fail. When it fails there can be a number of different errors but two of these can mean that there is a problem with the certificate that VMware is sending to SMI-S, namely that it is expired. Unfortunately, VMware does not give you a nice error that says “your certificate is expired”. Instead you may see one of the following messages, the first one is almost certainly a certificate problem while the second may or may not be:
If you have one of those errors, checking if you have an expired certificate is simple. Follow these steps:
- On your vCenter host open a command prompt
- Change the directory to C:\Program Files\Common Files\VMware\VMware vCenter Server – Java Components\bin (vSphere 5.5); C:\Program Files\VMware\Infrastructure\jre\bin (vSphere 5.1)
- Run the following command: keytool -keystore “C:\ProgramData\VMware\VMware VirtualCenter\SSL\sms.keystore” -storepass testpassword -list -v
This will produce an entry similar to below. Note I have boxed in red the valid dates of the certificate:
If the certificate is invalid/expired, you can create a new one. Just a few more steps:
- Stop the VMware VirtualCenter Management Webservices service
- Rename the existing sms.keystore and sms.truststore files located at C:\ProgramData\VMware\VMware VirtualCenter\SSL\.
- Restart the VMware VirtualCenter Management Webservices service
- Wait a couple minutes for the files to regenerate, then try to register the provider again
If the vCenter Server Appliance is used, the sms.keystore and sms.truststore files are located in the following directory: /etc/vmware-vpx/ssl. The keytool is automatically in the path of the root user. For the vApp, simply remove the files (step 2) and reboot the vApp to regenerate.
That’s it. As I said it is not the end all be all of VASA registration issues (take it from me I know), but before opening an SR, you probably want to be sure your certificate is valid. It does seem to be fairly common based on my experience. I’ll be adding this information to the whitepaper below in the near future.
The VMware KB article that includes the steps: http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2079087