Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/bin/bash
- #VCSA SSO and vSphere Web Client Configuration Script
- ##
- # THIS PART ADDED BY BENNY SHTARK
- #
- # IMPORTANT!
- # Create "A" record for IP of the server for the HOSTNAME first!
- #
- # COPY THIS ENTIRE FOLDER WITH 4 CERTIFICATE FILES TO SOMEWHERE ON VCENTER.
- # THEN RUN FOLLOWING
- #
- # chmod +x chcert.sh
- # ./chcert.sh <server>.example.com 'vmware@localhost' '1server.crt,2inter.crt,3root.crt' 4private.key <server>.example.com
- #
- # of course, change replace <server> with the server actual HOSTNAME
- #
- #
- #CHANGELOG - Version - 2012.10.08-01
- # - Fixed logbrowser issue, per http://derek858.blogspot.com/2012/10/vmware-vcenter-51-installation-part-14.html
- #CHANGELOG - Version - 2012.10.04-02
- # - Fixed a typo in a variable name (again, whoops)
- #CHANGELOG - Version - 2012.10.04-01
- # - Minor updates to comments and command line output
- # - Added toggle variable to disable undesired embedded services or leave them enabled
- # - Added code to disable ssh as root
- # - Added code to change the root password
- # - Added code to set the SSO master password and the admin password (required to successfully add the AD domain as an identity source)
- #CHANGELOG - Version - 2012.10.02-02
- # - Fixed a typo in a variable name
- #CHANGELOG - Version - 2012.10.02-01
- # - Added comments in script header
- # - Added code to remove dos line feeds from certificate files (typically due to incorrect transfer mode)
- # - Added test that exits if the certificate change fails
- # - Added test to make sure the private key file exists and was created with rsagen
- # - Added test that exits if the the VCSA fails to join Active Directory
- # - Added code before each exit to purge the bash history if any passwords are specified at the command line
- # - Added code to add the AD domain to SSO as an identity source (sometimes SSO does this on it's own, sometimes it doesn't...)
- # CHANGELOG - Version - 2012.10.01-01
- # - Initial Release
- #FEATURES - this script will
- # 1. Accept the EULA
- # 2. Configure the fully-qualified hostname
- # 3. Join Active Directory (if desired)
- # 4. Enable the embedded vCenter SSO service
- # 5. Replace the self-signed SSL certs with those provided by a CA
- # 6. Re-configure the vSphere Web Client and SSO service to function behind a load-balancer
- # 7. Disable undesired embedded services (chkconfig <service> off): vcenter, inventory (for use with an external vCenter Server)
- # 8. Set the SSO master password and the admin password
- # 9. Add the AD domain as an SSO identity source
- #10. Set the root password
- # TODO
- # - Configure AD domain as a default identity source
- # - Configure SSO service with AD admin group
- # - Configure Syslog target
- # - Init script to fix hostname and search domain issues
- # - Disable additional unnecessary/undesired services - logbrowser? netdumper? syslog-collector?
- #PREREQUISITES and ASSUMPTIONS
- # - Generate a trusted CA certificate for the VCSA. Be sure to include digitalSignature, keyEncipherment, dataEncipherment, serverAuth, and subjectAltName
- # - This script requires certificate files for the server, intermediate CAs, and the root CA.
- # - Certificate files must be in Base 64-encoded X.509 format. Be sure to use text transfer mode.
- # - Configure the load balancer, if one will be used (it must be done before running the script)
- # - This script is intended to be run against a VCSA that was just deployed from the OVF.
- # - It is assumed that appliance usernames, passwords, services, and ports remain at their defaults.
- #EXPECTED USAGE
- # - Copy this script and the certificate files to the VCSA
- # - Login as root
- # - chmod +x <scriptname>
- # - ./<scriptname> VCSA_HOSTFQDN LOCALOS_ADMIN_PASS CERT_CHAIN CERT_KEY VCENTER_SSO_ALIASFQDN 'AD_PASS' AD_USER AD_DOMAIN 'SSO_MASTER_PASS' 'SSO_ADMIN_PASS'
- #
- #Required Parameters:
- # - VCSA_HOSTFQDN: Fully qualified hostname of the VCSA. i.e. 'hostname.domain.local'
- # - LOCALOS_ADMIN_PASS: Password to set for the local root account. Use single quotes around the password. e.g. '\''1mR00t@localos'\'''
- # - CERT_CHAIN: Comma-delimited, ordered list of certificate filenames. Files must be in current directory. Provide certificates for: the VCSA, intermediate CA(s), and the root CA. i.e. 'server.crt,intermediate.crt,root.crt'
- # - CERT_KEY: Filename containing the private key for the VCSA certificate. i.e. 'rui.key'
- # - VCENTER_SSO_ALIASFQDN: Fully-qualified name of the load-balanced alias for the vCenter Single-Sign On service. If no load balancer, just repeat the hostname.fqdn. i.e. 'vcsso.domain.local'
- #Optional Parameters:
- # - AD_PASS: Password of an Active Directory account that has permissions to join computers to the domain. Be sure to use single quotes around the password. i.e. 'Im@passw0rd.'
- # - AD_USER: Username of an Active Directory account that has permissions to join computers to the domain. i.e. 'john.doe'
- # - AD_DOMAIN: Domain name in dotted format. i.e. 'domain.local'
- # - SSO_MASTER_PASS: Password to set for the SSO master. It is used to recover passwords. DO NOT LOSE THIS PASSWORD. e.g. '1mp0rt@nt'
- # - SSO_ADMIN_PASS: Password to set for the SSO admin user. e.g. e.g. '1manSS0@dmin'
- #CREDITS
- # Scripts compiled and modified by:
- # Loren Gordon
- # lorenATfleet-it.com
- #
- # Original scripts by:
- # William Lam
- # www.virtuallyghetto.com
- #
- # Logbrowser fix by:
- # Derek Seaman and Terafirma
- # http://derek858.blogspot.com/2012/10/vmware-vcenter-51-installation-part-14.html
- # User Configurations
- VCSA_HOSTFQDN=${1:-UNSET}
- LOCALOS_ADMIN_PASS=${2:-UNSET}
- CERT_CHAIN=${3:-UNSET} # Format: Comma separated, ordered list of the server, intermediate, and root CA certs in Base 64 encoded X.509 format. i.e. server.crt,intermediate.crt,root.crt
- CERT_KEY=${4:-UNSET}
- VCENTER_SSO_ALIASFQDN=${5:-UNSET}
- AD_PASS=${6:-UNSET}
- AD_USER=${7:-UNSET}
- AD_DOMAIN=${8:-UNSET} # Format: Dotted domain name. i.e. google.com, dodiis.net, etc
- SSO_MASTER_PASS=${9:-UNSET}
- SSO_ADMIN_PASS=${10:-UNSET}
- LOCALOS_ADMIN_USER=root
- VCENTER_SSO_PORT=7444 # 7444 is the default SSO port
- LDAP_PROTO=ldaps # ldaps or ldap
- LDAP_PORT=3269 # 389 or 3268 for ldap, 636 or 3269 for ldaps
- DISABLE_ROOT_SSH=0 # 1 to disable ssh for root; 0 to leave it enabled
- DISABLE_UNDESIRED_SERVICES=0 # 1 to disable undesired services; 0 to leave them enabled
- ## DO NOT EDIT BEYOND HERE ##
- VCSA_SHORTNAME=$(echo ${VCSA_HOSTFQDN} | cut -d. -f1)
- SSO_SRV=${VCENTER_SSO_ALIASFQDN}:${VCENTER_SSO_PORT}
- VI_REGTOOL=/usr/lib/vmware-sso/bin/vi_regtool
- CERT_PATH=/root/${VCSA_HOSTFQDN}-certs
- SSO_CERT=${CERT_PATH}/${VCENTER_SSO_ALIASFQDN}.crt
- VCSA_CERT=${CERT_PATH}/rui.crt
- VCSA_CERTKEY=${CERT_PATH}/rui.key
- JOIN_AD=0
- countdown()
- {
- #This function will pause while counting down from an input number to 0, displaying the decrementing count
- countdown=${1:-15}
- w=${#countdown}
- while [ ${countdown} -gt 0 ]
- do
- sleep 1 &
- printf " %${w}d\r" "$countdown"
- countdown=$(( $countdown - 1 ))
- wait
- done
- printf "\a"
- } 2>/dev/null
- if [ ! "${AD_PASS}" = "UNSET" ]; then JOIN_AD=1; fi
- echo "Validating parameter count..."
- CHECK_PARAMS=0
- if [ $# -lt 5 ]; then CHECK_PARAMS=1; fi
- if [ $# -gt 5 ] && [ ! $# -eq 10 ]; then CHECK_PARAMS=1; fi
- if [ ${CHECK_PARAMS} -eq 1 ]; then
- echo 'ERROR: Incorrect parameter count.'
- echo 'This script requires a minimum of 5 parameters:'
- echo ' $1 is the hostname.f.q.d.n for the vCenter Server Appliance that is being configured. e.g. vcsa.domain.local'
- echo ' $2 is the password to set for the local root account. Use single quotes around the password. e.g. '\''1mR00t@localos'\'''
- echo ' $3 is a comma-delimited, ordered list of certificate filenames that form a complete certificate chain.'
- echo ' The certificates must be in Base 64-encoded X.509 format.'
- echo ' The order must be the server certificate, then the intermediate CA certificate(s), then the root CA certificate.'
- echo ' There can be as many intermediate CA certs as needed to complete the chain.'
- echo ' i.e. '\''server.crt,intermediate1.crt,intermediate2,root.crt'\'''
- echo ' $4 is the filename of the private key for the server certificate. Key must be RSA format.'
- echo ' $5 is the load-balanced alias.f.q.d.n for the vCenter Single-Sign On service. If not behind a load balancer, just repeat the hostname.fqdn'
- echo 'This script accepts another 5 optional parameters. These parameters are only required to join the system to Active Directory:'
- echo ' $6 is the password of the active directory user specified in the next parameter. Use single quotes around the password. e.g. '\''1man3X@mple'\'''
- echo ' $7 is the active directory username that will add the server to Active Directory. e.g. imausername'
- echo ' $8 is the Active Directory domain name in dotted format. e.g. google.com, dodiis.net, etc'
- echo ' $9 is the master password the script will set for the SSO service. It is used to recover passwords. DO NOT LOSE THIS PASSWORD. e.g. '\''1mp0rt@nt'\'''
- echo ' $10 is the password the script will set for the SSO admin user. e.g. e.g. '\''1manSS0@dmin'\'''
- echo 'Exiting...'
- echo "Purging .bash_history file to remove any passwords..."
- cat /dev/null > ~/.bash_history
- exit 1
- fi
- echo "Input parameters:"
- echo " VCSA_HOSTFQDN=${VCSA_HOSTFQDN}"
- echo " LOCALOS_ADMIN_PASS=${LOCALOS_ADMIN_PASS}"
- echo " CERT_CHAIN=${CERT_CHAIN}"
- echo " CERT_KEY=${CERT_KEY}"
- echo " VCENTER_SSO_ALIASFQDN=${VCENTER_SSO_ALIASFQDN}"
- echo " AD_PASS=${AD_PASS}"
- echo " AD_USER=${AD_USER}"
- echo " AD_DOMAIN=${AD_DOMAIN}"
- echo " SSO_MASTER_PASS=${SSO_MASTER_PASS}"
- echo " SSO_ADMIN_PASS=${SSO_ADMIN_PASS}"
- echo " VCENTER_SSO_PORT=${VCENTER_SSO_PORT}"
- echo " LDAP_PROTO=${LDAP_PROTO}"
- echo " LDAP_PORT=${LDAP_PORT}"
- echo "Make sure the certificate files listed are in the current directory and all parameter values are correct."
- echo "The CERT_CHAIN parameter must be in this order: servercert,intermediateCAcert,rootCAcert."
- echo
- read -e -p "Is everything ready to proceed [YES|NO]? (NO): " CHECK_VALUES
- CHECK_VALUES=${CHECK_VALUES:-NO}
- if [ ! "${CHECK_VALUES}" = "YES" ]; then
- echo "Exiting due to user response of NO or unrecognized input. Only a YES response will proceed. Please re-run the script when ready."
- echo "Purging .bash_history file to remove any passwords..."
- cat /dev/null > ~/.bash_history
- exit 1
- fi
- echo "Testing parameter values..."
- CERT_CHAIN=$(echo ${CERT_CHAIN} | sed 's/,/ /g')
- echo "Checking for certificate files: ${CERT_CHAIN}"
- for file in ${CERT_CHAIN}
- do
- if [ ! -e "${file}" ]; then
- echo "Certificate file not found: ${file}"
- echo "Check input values and make sure file is in the current directory. It is safe to re-run the script at this exit point."
- echo "Purging .bash_history file to remove any passwords..."
- cat /dev/null > ~/.bash_history
- exit 1
- fi
- done
- echo "Checking for certificate key: ${CERT_KEY}"
- if [ ! -e "${CERT_KEY}" ]; then
- echo "Certificate key file not found: ${CERT_KEY}"
- echo "Check input values and make sure file is in the current directory. It is safe to re-run the script at this exit point."
- echo "Purging .bash_history file to remove any passwords..."
- cat /dev/null > ~/.bash_history
- exit 1
- fi
- echo "Checking that certificate key was created with rsagen: ${CERT_KEY}"
- TEST_KEY=`grep RSA ${CERT_KEY}`
- if [ -z "${TEST_KEY}" ]; then
- echo "Certificate key is not RSA format: ${CERT_KEY}"
- echo "Regenerate the key file as an RSA key; then generate a new certificate; then re-run the script."
- echo "Purging .bash_history file to remove any passwords..."
- cat /dev/null > ~/.bash_history
- exit 1
- fi
- echo "Parameter tests complete. Continuing..."
- echo
- echo "Accepting EULA ..."
- /usr/sbin/vpxd_servicecfg eula accept
- # NOTE: Upon reboot, one of the VMware init scripts does something strange to the hostname, so it shows up as 'hostname' rather
- # than 'hostname.fqdn' in the lighttp UI (port 5480) and upon ssh login.
- # Also, the VMware init scripts will re-write /etc/resolv.conf and wipe the DNS search domain.
- # No fixes as of yet, but impact appears to be purely cosmetic.
- # Perhaps a S99 init script will work around the problem...
- echo "Configuring VCSA hostname (${VCSA_HOSTFQDN})..."
- echo ${VCSA_HOSTFQDN} > /etc/HOSTNAME
- /bin/hostname --file /etc/HOSTNAME
- sed -i "s/localhost.localdom localhost/${VCSA_HOSTFQDN} ${VCSA_SHORTNAME}/g" /etc/hosts
- IP_ADDR=`ifconfig eth0 | awk '/inet addr:/{print $2}' | awk -F":" '{print $2}'`
- SEARCH_DOM=`hostname -d`
- TESTSEARCH=`grep ${SEARCH_DOM} /etc/resolv.conf`
- echo "Configuring DNS search suffix (${SEARCH_DOM})..."
- if [ -z "${TESTSEARCH}" ]; then
- echo search ${SEARCH_DOM} >> /etc/resolv.conf
- else
- echo "DNS search domain already configured. Skipping..."
- fi
- if [ ${JOIN_AD} -eq 1 ]; then
- echo "Configuring Active Directory ..."
- STATUS_JOINAD=`/usr/sbin/vpxd_servicecfg ad write "${AD_USER}" "${AD_PASS}" "${AD_DOMAIN}"`
- STATUS_JOINAD=`echo ${STATUS_JOINAD} | cut -d= -f2`
- if [ ! ${STATUS_JOINAD} -eq 0 ]; then
- echo "Failed to join Active Directory."
- echo "Command entered: /usr/sbin/vpxd_servicecfg ad write "${AD_USER}" "${AD_PASS}" "${AD_DOMAIN}""
- echo "Exit string: VC_CFG_RESULT=${STATUS_JOINAD}"
- echo "Exit code definition: $(grep ${STATUS_JOINAD} /usr/sbin/vpxd_servicecfg)"
- echo
- echo "Double check the username, password, and domain name; then re-run the script."
- echo "If the script continues failing at this point, re-deploy the VCSA from OVF and try again."
- echo "Purging .bash_history file to remove any passwords..."
- cat /dev/null > ~/.bash_history
- exit 1
- fi
- echo "VCSA joined to AD successfully. Return code is: VC_CFG_RESULT=${STATUS_JOINAD}"
- /opt/likewise/bin/lw-set-default-domain ${AD_DOMAIN}
- fi
- echo
- echo "Enabling SSO and vSphere Web Client. This will take several minutes..."
- /usr/sbin/vpxd_servicecfg sso write embedded
- echo "Enabling embedded vCenter service. This is required to start the vCenter server and change the SSL certs successfully..."
- /usr/sbin/vpxd_servicecfg db write embedded
- echo "Starting vCenter service. This service must be started once to change the SSL certs successfully..."
- service vmware-vpxd start
- echo "Stopping services to update certificates..."
- echo "Running 'service vmware-vpxd stop'"
- service vmware-vpxd stop
- echo "Running 'service vmware-sso stop'"
- service vmware-sso stop
- echo
- ### Create .crt chain
- mkdir ${CERT_PATH}
- cat /dev/null > ${VCSA_CERT} #Make sure the cert chain starts with an empty file
- echo "Creating the server certificate chain with certificate files: ${CERT_CHAIN}"
- for file in ${CERT_CHAIN}
- do
- #Remove line feeds from incorrect transfer mode and append the cert to the chain file
- awk '{sub (/\r$/,"");print}' ${file} >> ${VCSA_CERT}
- done
- cp ${CERT_KEY} ${VCSA_CERTKEY} #Copy the key file to the expected location
- echo "Saving self-signed root CA SSO certificate to /etc/ssl/certs/SSO-STS-Root.pem..."
- cp /etc/ssl/certs/Embedded-SSO-Server-Root-CA.pem /etc/ssl/certs/SSO-STS-Root.pem
- echo "Updating the SSL certficates. This will take a minute or so..."
- STATUS_CERTCHANGE=`/usr/sbin/vpxd_servicecfg certificate change ${VCSA_CERT} ${VCSA_CERTKEY}`
- STATUS_CERTCHANGE=`echo ${STATUS_CERTCHANGE} | cut -d= -f2`
- if [ ! ${STATUS_CERTCHANGE} -eq 0 ]; then
- echo "Certificate change was unsuccessful."
- echo "Command entered: /usr/sbin/vpxd_servicecfg certificate change ${VCSA_CERT} ${VCSA_CERTKEY}"
- echo "Exit string: VC_CFG_RESULT=${STATUS_CERTCHANGE}"
- echo "Exit code definition: $(grep ${STATUS_CERTCHANGE} /usr/sbin/vpxd_servicecfg)"
- echo
- echo "Double check the certificates and the certificate order; then re-run the script."
- echo "Certificate order must be: server.crt,intermediateCA2.crt, intermediateCA1.crt, rootCA.crt"
- echo "If the script continues failing at this point, re-deploy the VCSA from OVF and try again."
- echo "Purging .bash_history file to remove any passwords..."
- cat /dev/null > ~/.bash_history
- exit 1
- fi
- echo "Certificate change successful. Return code is: VC_CFG_RESULT=${STATUS_CERTCHANGE}"
- echo
- echo "Starting services to complete certificate change..."
- service vmware-vpxd start
- service vmware-sso start
- service vami-lighttp restart
- service vsphere-client restart
- echo "Sleeping 40 seconds to let the vSphere Web Client initialize..."
- countdown 40
- echo
- echo "Setting root password..."
- echo "${LOCALOS_ADMIN_PASS}" | passwd --stdin ${LOCALOS_ADMIN_USER}
- ${VI_REGTOOL} listServices https://${VCSA_HOSTFQDN}:${VCENTER_SSO_PORT}/lookupservice/sdk > /tmp/localservices
- echo
- echo "Re-configuring SSO to use load-balanced alias..."
- #Build the properties files, per VMware KB2033588
- cat > /tmp/sts.properties << ENDSTS
- [service]
- friendlyName=Security Token Service at ${VCENTER_SSO_ALIASFQDN}
- version=1.0
- type=urn:sso:sts
- description=The Security Token Service of the Single Sign On server
- [endpoint0]
- uri=https://${SSO_SRV}/ims/STSService
- ssl=${SSO_CERT}
- protocol=wsTrust
- ENDSTS
- cat > /tmp/gc.properties << ENDGC
- [service]
- friendlyName=SSO Group Check Service at ${VCENTER_SSO_ALIASFQDN}
- version=1.0
- type=urn:sso:groupcheck
- description=The Group Check interface of the Single Sign On server
- [endpoint0]
- uri=https://${SSO_SRV}/sso-adminserver/sdk
- ssl=${SSO_CERT}
- protocol=vmomi
- ENDGC
- cat > /tmp/admin.properties << ENDADMIN
- [service]
- friendlyName=SSO Administration Service at ${VCENTER_SSO_ALIASFQDN}
- version=1.0
- type=urn:sso:admin
- description=The Administration Service of the Single Sign On server
- [endpoint0]
- uri=https://${SSO_SRV}/sso-adminserver/sdk
- ssl=${SSO_CERT}
- protocol=vmomi
- ENDADMIN
- #Write files containing the SSO Service IDs
- grep -B2 type=urn:sso:sts /tmp/localservices | grep serviceId | cut -d= -f2 > /tmp/sts.id
- grep -B2 type=urn:sso:groupcheck /tmp/localservices | grep serviceId | cut -d= -f2 > /tmp/gc.id
- grep -B2 type=urn:sso:admin /tmp/localservices | grep serviceId | cut -d= -f2 > /tmp/admin.id
- #Get SSL certificate for ${SSO_SRV}
- echo "Retrieving ${SSO_SRV} SSL Certificate"
- echo "" | openssl s_client -connect ${SSO_SRV} 2> /dev/null 1> /tmp/cert
- echo "Storing ${SSO_SRV} SSL Certificate in ${SSO_CERT}"
- openssl x509 -in /tmp/cert > ${SSO_CERT}
- echo "Adding Lookup Service URL to /etc/vmware/ls_url.txt & /etc/vmware-sso/ls_url.txt"
- cp /etc/vmware/ls_url.txt /etc/vmware/ls_url.txt.bak
- cp /etc/vmware-sso/ls_url.txt /etc/vmware-sso/ls_url.txt.bak
- echo "https://${SSO_SRV}/lookupservice/sdk" > /etc/vmware/ls_url.txt
- echo "https://${SSO_SRV}/lookupservice/sdk" > /etc/vmware-sso/ls_url.txt
- #Update the SSO services
- echo "Updating SSO services...(this won't work behind a load balancer if the SSL certs didn't update successfully)"
- ${VI_REGTOOL} updateService -d https://${VCSA_HOSTFQDN}:${VCENTER_SSO_PORT}/lookupservice/sdk -u ${LOCALOS_ADMIN_USER} -p ${LOCALOS_ADMIN_PASS} -si /tmp/sts.id -ip /tmp/sts.properties
- ${VI_REGTOOL} updateService -d https://${VCSA_HOSTFQDN}:${VCENTER_SSO_PORT}/lookupservice/sdk -u ${LOCALOS_ADMIN_USER} -p ${LOCALOS_ADMIN_PASS} -si /tmp/gc.id -ip /tmp/gc.properties
- ${VI_REGTOOL} updateService -d https://${VCSA_HOSTFQDN}:${VCENTER_SSO_PORT}/lookupservice/sdk -u ${LOCALOS_ADMIN_USER} -p ${LOCALOS_ADMIN_PASS} -si /tmp/admin.id -ip /tmp/admin.properties
- #Fix the logbrowser service
- #Internally, it seems the logbrowser service needs to trust the self-signed certificate for some yet-unknown reason
- echo
- echo "Repointing the logbrowser service to the saved self-signed certificate..."
- sed -i.bak 's/.*sso-certs=.*/sso-certs=\/etc\/ssl\/certs\/SSO-STS-Root.pem/' /usr/lib/vmware-logbrowser/conf/logbrowser.properties
- service vmware-logbrowser restart
- #####
- #Next section stops, disables, and unregisters the undesired local services and solution users
- #If the local vpxd service is stopped but not unregistered, there will be an error when logging into the web client
- #####
- if [ ${DISABLE_UNDESIRED_SERVICES} -eq 1 ]; then
- echo
- echo "Disabling undesired services..."
- echo "Running 'service vmware-vpxd stop'"
- service vmware-vpxd stop
- echo "Disabling the vCenter service with 'chkconfig vmware-vpxd off'"
- chkconfig vmware-vpxd off
- echo "Removing local vpxd solution user..."
- VPXD_USER=$(grep ownerId=vpxd /tmp/localservices | cut -d= -f2 | cut -d@ -f1)
- ${VI_REGTOOL} unregisterSolution -d https://${SSO_SRV}/lookupservice/sdk -u ${LOCALOS_ADMIN_USER} -p ${LOCALOS_ADMIN_PASS} -su ${VPXD_USER}
- echo "Removing local vpxd service registration..."
- grep -B1 serviceName="vpxd" /tmp/localservices | grep serviceId | cut -d= -f2 > /tmp/vpxd.id
- ${VI_REGTOOL} unregisterService -d https://${SSO_SRV}/lookupservice/sdk -u ${LOCALOS_ADMIN_USER} -p ${LOCALOS_ADMIN_PASS} -si /tmp/vpxd.id
- rm /tmp/vpxd.id
- echo "Running 'service vmware-inventoryservice stop'"
- service vmware-inventoryservice stop
- echo "Disabling the Inventory service with 'chkconfig vmware-inventoryservice off'"
- chkconfig vmware-inventoryservice off
- fi
- ####
- #
- # Add AD domain as an SSO identity source
- # Command may fail if there are certificate or SSL problems with the DC
- #
- if [ ${JOIN_AD} -eq 1 ]; then
- echo
- echo "Resetting the SSO master password..."
- source /etc/vmware-sso/keys/recovery.cfg
- /usr/lib/vmware-sso/utils/ssowrench manage-secrets -a change -u "${SSO_RECOVERY_USERNAME}" -p "${SSO_RECOVERY_PASSWORD}" -N "${SSO_MASTER_PASS}"
- echo "Resetting the SSO admin password..."
- /usr/lib/vmware-sso/utils/ssowrench reset-admin-password -u admin -p "${SSO_ADMIN_PASS}" -m "${SSO_MASTER_PASS}"
- echo "Attempting to identify two domain controllers..."
- DC1=`dig any _gc._tcp.${AD_DOMAIN} | grep -A2 ";; ADDITIONAL" | grep IN | awk -F". " 'NR==1{print $1}'`
- DC2=`dig any _gc._tcp.${AD_DOMAIN} | grep -A2 ";; ADDITIONAL" | grep IN | awk -F". " 'NR==2{print $1}'`
- AD_ALIAS=`/opt/likewise/bin/lw-get-status |awk '/Netbios name:/{print $3}'`
- if [ ! -z "${DC1}" ] && [ ! -z "${DC2}" ]; then
- echo "Found ${DC1} and ${DC2}."
- echo "Attempting to add ${AD_DOMAIN} as an SSO identity source..."
- echo "Running command: /usr/lib/vmware-sso/utils/ssowrench manage-identity-sources -a create -u admin -p ${SSO_ADMIN_PASS} -S -X -r ${LDAP_PROTO}://${DC1}:${LDAP_PORT} -f ${LDAP_PROTO}://${DC2}:${LDAP_PORT} -L ${AD_USER}@${AD_DOMAIN} -P ${AD_PASS} -d ${AD_DOMAIN} -l ${AD_ALIAS} --use-gssapi"
- /usr/lib/vmware-sso/utils/ssowrench manage-identity-sources -a create -u admin -p "${SSO_ADMIN_PASS}" -S -X -r ${LDAP_PROTO}://${DC1}:${LDAP_PORT} -f ${LDAP_PROTO}://${DC2}:${LDAP_PORT} -L ${AD_USER}@${AD_DOMAIN} -P "${AD_PASS}" -d ${AD_DOMAIN} -l ${AD_ALIAS} --use-gssapi
- echo
- echo "Sometimes there's a problem with the VCSA when adding the domain as an identity source. "
- echo "If there is an error message, try adding the identity source manually via the vSphere Web Client."
- echo "If that fails, try resetting the computer account in active directory and re-deploying the VCSA."
- else
- echo "Couldn't identify domain controllers. Manually add the domain as an SSO identity source."
- fi
- fi
- if [ "${DISABLE_ROOT_SSH}" -eq 1 ]; then
- echo
- echo "Disabling ssh as root..."
- sed -i.bak 's/.*PermitRootLogin.*/PermitRootLogin no/' /etc/ssh/sshd_config
- service sshd restart
- fi
- #Purge passwords from bash history
- #Technically, this shouldn't do anything since the history file is written on exit and this *should* be a newly deployed VCSA... :)"
- echo
- echo "Purging .bash_history file to remove passwords..."
- cat /dev/null > ~/.bash_history
- echo
- echo "VCSA configuration completed. Run 'history -c' to remove "
- echo "passwords from the command line history of the current "
- echo "shell session or they will be written to the history file. "
- echo "Then run 'reboot' to restart the VCSA."
Add Comment
Please, Sign In to add comment