VASA Registration Problems Revisited

Back in June I published an entry on resolving VASA registration issues (https://drewtonnesen.wordpress.com/2014/06/25/vmax-vasa-and-registration-failure-in-vcenter/).  In it I covered some of the more common problems you are likely to hit when attempting to register the VASA Provider in VMware vCenter.  Through many customer issues I have come to find that one of the simpler solutions, when the problem is not obvious, is to import a certificate through the ECOM Administration page.  Not just any certificate actually, but rather the very certificate that VMware is sending to ECOM.  Now assuming you have followed the steps I laid out in the previous blog entry and confirmed that the VMware certificate is valid, here is how to go about importing it manually so that when registration is attempted, the certificate VMware sends, is the one ECOM already has.  Now let me say that I consider this procedure a workaround of sorts and something that should not be necessary; but after spending many days debugging customer environments, it is something that is relatively easy to do and in my opinion worth trying out before opening an SR with EMC Support.  In other words there is no concern in messing up the environment by doing this so have at it.

In order to import the VMware certificate into the ECOM page it must be in PEM format and unfortunately it is not. We will need to run two conversions on the file to get it into the PEM format – JKS -> PKCS12 -> PEM.  To convert the existing certificate requires two executables:  keytool and openssl.  Now the keytool is on the vCenter by default (Windows or vApp) but openssl is only on the vApp.  It would have to be installed separately on Windows.  For this reason I am going to use the vApp in my example.  If you are using Windows really the only thing that will change is the file paths.  So the steps:

1.  Execute the following on the vApp to convert the VMware certificate into the PKCS12 format:

keytool -importkeystore -srckeystore /etc/vmware-vpx/ssl/sms.keystore -destkeystore /etc/vmware-vpx/ssl/sms.pkcs -srcstoretype JKS -deststoretype PKCS12

    This command will ask for a password. It is “testpassword”.  If an alias exists, as in my case, overwrite it.  Here is an example:

Click to enlarge – use browser back button to return to post

2.  Now that the certificate is in PKCS12 format, it can be converted again into PEM format. The command to do that uses openssl.  For the conversion on a Windows box you might choose to sftp the PKCS12 file to a Linux box and then run openssl from there as it is usually included on a Linux install.  I’ve done that also but it is up to you.

openssl pkcs12 -in /etc/vmware-vpx/ssl/sms.pkcs -out /etc/vmware-vpx/ssl/sms.pem

    This command will ask for a password once and a passphrase twice. It is “testpassword” for all.

pemClick to enlarge – use browser back button to return to post

3.  Once the PEM format is available, it can be copied and imported. To do this, simply run a “more” on the file and copy the PEM format as shown below.

sms_pemClick to enlarge – use browser back button to return to post

4.  Now import the certificate. Log into the ECOM website (https ://<IP>:5989/ecomconfig) as the default admin user: admin/#1Password.

5.  Once in, select “SSL Certificate Management” from the menu:

ecom_1Click to enlarge – use browser back button to return to post

6.  In the next window choose to “Import CA certificate file”.ecom_2

Click to enlarge – use browser back button to return to post

7.  Finally, paste the PEM certificate from step 3 into the box and submit the certificate.

ecom_3Click to enlarge – use browser back button to return to post

 8. Retry the VASA registration once complete and it should succeed.  Note that if you are registering more than one vCenter and the second vCenter fails to register after this procedure, you can paste multiple certificates into the box in step 7 and try again.

A pretty straightforward procedure I hope.  I have included this in the VASA whitepaper but an update is not yet published so for now this is the available “documentation”.

 

 

 

 

 

Advertisements

8 thoughts on “VASA Registration Problems Revisited

  1. Hi Drew, I got the error “A problem was encountered while registering the provider” when registering VMAX3 VASA to vCenter 6.0. The certificate is not out of date. I am not sure what is wrong. Do you have an update on vCenter 6.0?

    • When you say VMAX3 VASA, do you mean the VASA 8.2 Provider recently released? The VASA 1.x Provider I am talking about in this blog post is not supported with vCenter 6.0. Please clarify.

      • Yes, I mean VASA 8.2 provider. The installation directories of vCenter 6.0 change a lot. Do you know where I can get the detail error info? Thanks.

      • Another issue is I am not able to mount the database LUN (docu68888_VMAX-VASA-Provider-8.2.0-Release-Notes.pdf, Page 8). The error message is “Failed to discover devices connected”.
        I am not sure whether it will fail to register VASA provider to vCenter.

      • If the VASA DB fails to mount, registration will not be possible. Just a few reminders – you must use Fibre Channel, iSCSI/FCoE are not supported. Devices must be physical RDMs to the VM, however it is much easier to use the vApp interface to add the devices than adding RDMs in vCenter. The VASA DB device must be 4 GB or more in size. 5 GateKeepers are required. Try referencing my VVol paper to do the vApp installation as it might be more straightforward. Start on page 11: http://www.emc.com/collateral/white-papers/h14576-vmware-virtual-volumes-emc-vmax3-vmax-all-flash.pdf. Without a successfully vApp deployment, registration in vCenter will never work.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s