Vmware VCloud Director Installation And Upgrade Guide 5.5 V Cloud Vcd 55 Install

User Manual: vmware vCloud Director - 5.5 - Installation and Upgrade Guide Free User Guide for VMware vCloud Software, Manual

Open the PDF directly: View PDF PDF.
Page Count: 56

vCloud Director Installation and
Upgrade Guide
vCloud Director 5.5
This document supports the version of each product listed and
supports all subsequent versions until the document is
replaced by a new edition. To check for more recent editions
of this document, see http://www.vmware.com/support/pubs.
EN-0001030-00
vCloud Director Installation and Upgrade Guide
2 VMware, Inc.
You can find the most up-to-date technical documentation on the VMware Web site at:
http://www.vmware.com/support/
The VMware Web site also provides the latest product updates.
If you have comments about this documentation, submit your feedback to:
docfeedback@vmware.com
Copyright © 2010–2013 VMware, Inc. All rights reserved. This product is protected by U.S. and international copyright and
intellectual property laws. VMware products are covered by one or more patents listed at
http://www.vmware.com/go/patents.
VMware is a registered trademark or trademark of VMware, Inc. in the United States and other jurisdictions. All other marks
and names mentioned herein may be trademarks of their respective companies.
VMware, Inc.
3401 Hillview Ave.
Palo Alto, CA 94304
www.vmware.com
Contents
VMware vCloud Director Installation and Upgrade Guide 5
1Overview of vCloud Director Installation, Configuration, and Upgrade 7
vCloud Director Architecture 7
Configuration Planning 8
vCloud Director Hardware and Software Requirements 8
2Creating a vCloud Director Server Group 23
Install and Configure vCloud Director Software on the First Member of a Server Group 24
Configure Network and Database Connections 26
Install vCloud Director Software on Additional Members of a Server Group 29
Install Microsoft Sysprep Files on the Servers 31
Start or Stop vCloud Director Services 32
Uninstall vCloud Director Software 32
3Upgrading vCloud Director 33
Use the Cell Management Tool to Quiesce and Shut Down a Server 35
Upgrade vCloud Director Software on Any Member of a Server Group 36
Upgrade the vCloud Director Database 38
Upgrade vShield Manager 40
Upgrade vCenter, Hosts, and vShield Edge Appliances 40
4vCloud Director Setup 43
Review the License Agreement 44
Enter the License Key 44
Create the System Administrator Account 44
Specify System Settings 44
Ready to Log In to vCloud Director 45
5Cell Management Tool Reference 47
Commands for Managing a Cell 48
Commands for Exporting Database Tables 49
Commands for Replacing SSL Certificates 51
Commands for Generating Self-Signed SSL Certificates 52
Recovering the System Administrator Password 53
Index 55
VMware, Inc. 3
vCloud Director Installation and Upgrade Guide
4 VMware, Inc.
VMware vCloud Director Installation and
Upgrade Guide
The VMware vCloud Director Installation and Upgrade Guide provides information about installing or
upgrading VMware vCloud Director software and configuring it to work with VMware vCenter™ to
provide VMware-ready VMware vCloud® services.
Intended Audience
The VMware vCloud Director Installation and Upgrade Guide is intended for anyone who wants to install or
upgrade VMware vCloud Director software. The information in this book is written for experienced system
administrators who are familiar with Linux, Windows, IP networks, and VMware vSphere®.
VMware, Inc. 5
vCloud Director Installation and Upgrade Guide
6 VMware, Inc.
Overview of vCloud Director
Installation, Configuration, and
Upgrade 1
A VMware vCloud® combines a vCloud Director server group with the vSphere platform. You create a
vCloud Director server group by installing vCloud Director software on one or more servers, connecting the
servers to a shared database, and integrating the vCloud Director server group with vSphere.
The initial configuration of vCloud Director, including database and network connection details, is
established during installation. When you upgrade an existing installation to a new version of
vCloud Director, you update the vCloud Director software and database schema, leaving the existing
relationships between servers, the database, and vSphere in place.
This chapter includes the following topics:
n“vCloud Director Architecture,” on page 7
n“Configuration Planning,” on page 8
n“vCloud Director Hardware and Software Requirements,” on page 8
vCloud Director Architecture
A vCloud Director server group consists of one or more vCloud Director servers. These servers share a
common database, and are linked to an arbitrary number of vCenter servers and ESXi hosts. vShield
Manager servers provide network services to vCenter and vCloud Director.
A typical installation creates a vCloud Director server group comprising several servers. Each server in the
group runs a collection of services called a vCloud Director cell. All members of the group share a single
database. Each cell in the group connects to multiple vCenter servers, the hosts that they manage, and the
vShield Manager servers that are configured to support the vCenter servers.
VMware, Inc. 7
Figure 11. vCloud Director Architecture Diagram
vCloud Director Installation
vCloud Director
Server
Cell
vCloud Director
Database
VMware vCloud Director
VMware vSphere
vCenter
Database
vShield
Manager
vCenter
ESX/ESXi
ESX/ESXi
The vCloud Director installation and configuration process creates the cells, connects them to the shared
database, and establishes the first connections to a vCenter server, vShield Manager, and hosts. A system
administrator can then use the vCloud Director Web console to add vCenter servers, vShield Manager, and
hosts to the vCloud Director server group at any time.
Configuration Planning
vSphere provides storage, compute, and networking capacity to vCloud Director. Before you begin
installation, consider how much vSphere and vCloud Director capacity you need, and plan a configuration
that can support it.
Configuration requirements depend on many factors, including the number of organizations in the cloud,
the number of users in each organization, and the activity level of those users. The following guidelines can
serve as a starting point for most configurations:
nAllocate one vCloud Director server (cell) for each vCenter server that you want to make accessible in
your cloud.
nBe sure that all vCloud Director servers meet at least the minimum requirements for memory, CPU, and
storage detailed in “vCloud Director Hardware and Software Requirements,” on page 8.
nConfigure the vCloud Director database as described in “Installing and Configuring a vCloud Director
Database,” on page 14.
vCloud Director Hardware and Software Requirements
Each server in a vCloud Director server group must meet certain hardware and software requirements. In
addition, a supported database must be accessible to all members of the group. Each server group requires
access to a vCenter server, vShield Manager, and one or more ESXi hosts.
Supported Platforms
Current information about the VMware platforms supported by this release of vCloud Director is available
from the VMware Product Interoperability Matrixes at
http://partnerweb.vmware.com/comp_guide/sim/interop_matrix.php.
vCloud Director Installation and Upgrade Guide
8 VMware, Inc.
vSphere Configuration Requirements
Servers and hosts intended for use with vCloud Director must meet specific configuration requirements.
nvCenter networks intended for use as vCloud Director external networks or network pools must be
available to all hosts in any cluster intended for vCloud Director to use. Making these networks
available to all hosts in a datacenter simplifies the task of adding new vCenter servers to
vCloud Director.
nvSphere Distributed Switches must be used for cross-host fencing and network pool allocation.
nvCenter clusters used with vCloud Director must configure storage DRS with an automation level of
Fully Automated. This configuration requires shared storage attached to all ESXi hosts in a DRS cluster.
vCloud Director can take full advantage of Storage DRS, including support for fast provisioning, with
vCenter 5.1 or later.
nvCenter servers must trust their hosts. All hosts in all clusters managed by vCloud Director must be
configured to require verified host certificates. In particular, you must determine, compare, and select
matching thumbprints for all hosts. See Configure SSL Settings in the vCenter Server and Host
Management documentation.
vSphere Licensing Requirements
vCloud Director requires the following vSphere licenses:
nVMware DRS, licensed by vSphere Enterprise and Enterprise Plus.
nVMware Distributed Switch and dvFilter, licensed by vSphere Enterprise Plus. This license enables
creation and use of vCloud Director isolated networks.
Supported vCloud Director Server Operating Systems
Table 11. Supported vCloud Director Server Operating Systems
Operating System (64-bit only) Updates
CentOS 6 4
Red Hat Enterprise Linux 5 4-9
Red Hat Enterprise Linux 6 1-4
Disk Space
Requirements
Each vCloud Director server requires approximately 1350MB of free space
for the installation and log files.
Memory Requirements Each vCloud Director server must be provisioned with at least 4GB of
memory.
Linux Software
Packages
Each vCloud Director server must include installations of several common
Linux software packages. These packages are typically installed by default
with the operating system software. If any are missing, the installer fails with
a diagnostic message.
Table 12. Required Software Packages
Package Name Package Name Package Name
alsa-lib libICE module-init-tools
bash libSM net-tools
chkconfig libstdc pciutils
coreutils libX11 procps
Chapter 1 Overview of vCloud Director Installation, Configuration, and Upgrade
VMware, Inc. 9
Table 12. Required Software Packages (Continued)
Package Name Package Name Package Name
findutils libXau redhat-lsb
glibc libXdmcp sed
grep libXext tar
initscripts libXi which
krb5-libs libXt
libgcc libXtst
Supported vCloud Director Databases
vCloud Director supports Oracle and Microsoft SQL Server databases. The most current information about
supported databases is available from the VMware Product Interoperability Matrixes at
http://partnerweb.vmware.com/comp_guide/sim/interop_matrix.php.
For recommended database server configurations, see “Installing and Configuring a vCloud Director
Database,” on page 14.
Supported LDAP Servers
Table 13. Supported LDAP Servers
Platform LDAP Server Authentication Methods
Windows Server 2003 Active Directory Simple, Simple SSL, Kerberos, Kerberos SSL
Windows Server 2008 Active Directory Simple
Windows 7 (2008 R2) Active Directory Simple, Simple SSL, Kerberos, Kerberos SSL
Linux OpenLDAP Simple, Simple SSL
Guest OS Support
See the vCloud Director User's Guide for a list of supported guest operating systems.
Browsers That vCloud Director Supports
The vCloud Director Web Console is compatible with recent versions of Google Chrome, Mozilla Firefox,
and Microsoft Internet Explorer.
NOTE The vCloud Director Web Console is compatible only with 32-bit browsers. When a browser is listed
as supported on a 64-bit platform, use of a 32-bit browser on the 64-bit platform is implied.
Browser Support on Linux Platforms
On these Linux platforms, the vCloud Director Web Console is compatible with the most recent version of
Mozilla Firefox and Google Chrome, and with their immediate predecessor versions.
vCloud Director Installation and Upgrade Guide
10 VMware, Inc.
Table 14. Browser Support and Operating System Compatibility on Linux Platforms
Platform Google Chrome Mozilla Firefox
CentOS 6.xYES YES
Red Hat Enterprise Linux 6.xYES YES
Ubuntu 12.xYES YES
Browser Support on Windows Platforms
On Windows platforms, the vCloud Director Web Console is compatible with at least one version of
Microsoft Internet Explorer. Some Windows platforms are also compatible with the most recent version of
Mozilla Firefox and Google Chrome, and with their immediate predecessor versions.
Table 15. Browser Support and Operating System Compatibility on Microsoft Windows Platforms
Platform
Google
Chrome
Mozilla
Firefox Internet Explorer 8.x
Internet
Explorer 9.x
Internet
Explorer
10.x
Windows XP Pro YES YES YES No No
Windows Server 2003
Enterprise Edition
YES YES YES No No
Windows Server 2008 YES YES YES YES YES
Windows Server 2008 R2 YES YES YES YES YES
Windows Vista YES No YES YES YES
Windows 7 YES YES YES YES YES
Windows 8 YES YES No No YES
Browser Support on Macintosh Platforms
On Macintosh platforms, the vCloud Director Web Console is compatible with the most recent version of
Mozilla Firefox and Google Chrome, and with their immediate predecessor versions.
Supported Versions of Adobe Flash Player
The vCloud Director Web Console requires Adobe Flash Player 11.2 or later. Only the 32-bit version is
supported.
Supported Versions of Java
vCloud Director clients must have JRE 1.6.0 update 10 or later installed and enabled. Only the 32-bit version
is supported.
Supported TLS and SSL Protocol Versions and Cipher Suites
vCloud Director requires clients to use SSL. The following SSL server protocols are supported:
nTLS versions 1.0, 1.1, and 1.2
nSSL version 3
Supported cipher suites include those with RSA, DSS, or Elliptic Curve signatures and DES3, AES-128, or
AES-256 ciphers.
Chapter 1 Overview of vCloud Director Installation, Configuration, and Upgrade
VMware, Inc. 11
Summary of Network Configuration Requirements for vCloud Director
Secure, reliable operation of vCloud Director depends on a secure, reliable network that supports forward
and reverse lookup of hostnames, a network time service, and other services. Your network must meet these
requirements before you begin installing vCloud Director.
The network that connects vCloud Director servers, the database server, vCenter servers, and vCloud
Networking and Security, must meet several requirements:
IP addresses Each vCloud Director server requires two IP addresses, so that it can support
two different SSL connections. One connection is for the HTTP service. The
other is for the console proxy service. You can use IP aliases or multiple
network interfaces to create these addresses. You cannot use the Linux ip
addr add command to create the second address .
Console Proxy Address The IP address configured as the console proxy address must not be located
behind an SSL-terminating load balancer or reverse proxy. All console proxy
requests must be relayed directly to the console proxy IP address.
Network Time Service You must use a network time service such as NTP to synchronize the clocks
of all vCloud Director servers, including the database server. The maximum
allowable drift between the clocks of synchronized servers is 2 seconds.
Server Time Zones All vCloud Director servers, including the database server, must be
configured to be in the same time zone.
Hostname Resolution All host names that you specify during installation and configuration must
be resolvable by DNS using forward and reverse lookup of the fully qualified
domain name or the unqualified hostname. For example, for a host named
vcloud.example.com, both of the following commands must succeed on a
vCloud Director host:
nslookup vcloud
nslookup vcloud.example.com
In addition, if the host vcloud.example.com has the IP address 192.168.1.1, the
following command must return vcloud.example.com:
nslookup 192.168.1.1
Transfer Server Storage To provide temporary storage for uploads, downloads, and catalog items
that are published or subscribed externally, you must make an NFS or other
shared storage volume accessible to all servers in a vCloud Director server
group. This shared volume must have write permission for root. Each
member of the server group must mount this volume at the same
mountpoint, typically /opt/vmware/vcloud-director/data/transfer. Space
on this volume is consumed in two ways:
nTransfers (uploads and downloads) occupy this storage for as long as
the transfer is in progress, and are removed when the transfer is
complete. Transfers that make no progress for 60 minutes are marked as
expired and cleaned up by the system. Because transferred images can
be large, it is a good practice to allocate at least several hundred
gigabytes for this use.
nCatalog items in catalogs that are published externally and enable
caching of published content occupy this storage for as long as they
exist. (Items from catalogs that are published externally but do not
enable caching do not occupy this storage.) If you enable organizations
vCloud Director Installation and Upgrade Guide
12 VMware, Inc.
in your cloud to create catalogs that are published externally, it is safe to
assume that hundreds or even thousands of catalog items will need
space on this volume, and that each catalog item will be the size of a
virtual machine in compressed OVF form.
NOTE If possible, the volume you use for transfer server storage should be
one whose capacity can be easily expanded.
Network Security Recommendations
Secure operation of vCloud Director requires a secure network environment. Configure and test this
network environment before you begin installing vCloud Director
Connect all vCloud Director servers to a network that is secured and monitored. vCloud Director network
connections have several additional requirements:
nDo not connect vCloud Director directly to the public Internet. Always protect vCloud Director
network connections with a firewall. Only port 443 (HTTPS) must be open to incoming connections.
Ports 22 (SSH) and 80 (HTTP) can also be opened for incoming connections if needed. All other
incoming traffic from a public network must be rejected by the firewall.
Table 16. Ports That Must Allow Incoming Packets From vCloud Director Hosts
Port Protocol Comments
111 TCP, UDP NFS portmapper used by transfer service
920 TCP, UDP NFS rpc.statd used by transfer service
61611 TCP ActiveMQ
61616 TCP ActiveMQ
nDo not connect the ports used for outgoing connections to the public network.
Table 17. Ports That Must Allow Outgoing Packets From vCloud Director Hosts
Port Protocol Comments
25 TCP, UDP SMTP
53 TCP, UDP DNS
111 TCP, UDP NFS portmapper used by transfer service
123 TCP, UDP NTP
389 TCP, UDP LDAP
443 TCP vCenter, vShield Manager, and ESX
connections
514 UDP Optional. Enables syslog use.
902 TCP vCenter and ESX connections.
903 TCP vCenter and ESX connections.
920 TCP, UDP NFS rpc.statd used by transfer service.
1433 TCP Default Microsoft SQL Server database port.
1521 TCP Default Oracle database port.
5672 TCP, UDP Optional. AMQP messages for task
extensions.
Chapter 1 Overview of vCloud Director Installation, Configuration, and Upgrade
VMware, Inc. 13
Table 17. Ports That Must Allow Outgoing Packets From vCloud Director Hosts (Continued)
Port Protocol Comments
61611 TCP ActiveMQ
61616 TCP ActiveMQ
nRoute traffic between vCloud Director servers and the vCloud Director database server over a
dedicated private network if possible.
nVirtual switches and distributed virtual switches that support provider networks must be isolated from
each other. They cannot share the same level 2 physical network segment.
Installing and Configuring a vCloud Director Database
vCloud Director cells use a database to store shared information. This database must exist before you can
complete installation and configuration of vCloud Director software.
NOTE Regardless of the database software you choose, you must create a separate, dedicated database
schema for vCloud Director to use. vCloud Director cannot share a database schema with any other
VMware product.
Configure an Oracle Database
Oracle databases have specific configuration requirements when you use them with vCloud Director. Install
and configure a database instance and create the vCloud Director database user account before you install
vCloud Director.
Procedure
1 Configure the database server.
A database server configured with 16GB of memory, 100GB storage, and 4 CPUs should be adequate
for most vCloud Director clusters.
2 Create the database instance.
Use commands of the following form to create separate data (CLOUD_DATA) and index
(CLOUD_INDX) tablespaces:
Create Tablespace CLOUD_DATA datafile '$ORACLE_HOME/oradata/cloud_data01.dbf' size 1000M
autoextend on;
Create Tablespace CLOUD_INDX datafile '$ORACLE_HOME/oradata/cloud_indx01.dbf' size 500M
autoextend on;
3 Create the vCloud Director database user account.
The following command creates database user name vcloud with password vcloudpass.
Create user $vcloud identified by $vcloudpass default tablespace CLOUD_DATA;
NOTE When you create the vCloud Director database user account, you must specify CLOUD_DATA
as the default tablespace.
vCloud Director Installation and Upgrade Guide
14 VMware, Inc.
4 Configure database connection, process, and transaction parameters.
The database must be configured to allow at least 75 connections per vCloud Director cell plus about 50
for Oracle's own use. You can obtain values for other configuration parameters based on the number of
connections, where C represents the number of cells in your vCloud Director cluster.
Oracle Configuration Parameter Value for C Cells
CONNECTIONS 75*C+50
PROCESSES = CONNECTIONS
SESSIONS = PROCESSES*1.1+5
TRANSACTIONS = SESSIONS*1.1
OPEN_CURSORS = SESSIONS
5 Create the vCloud Director database user account.
Do not use the Oracle system account as the vCloud Director database user account. You must create a
dedicated user account for this purpose. Grant the following system privileges to the account:
nCONNECT
nRESOURCE
nCREATE TRIGGER
nCREATE TYPE
nCREATE VIEW
nCREATE MATERIALIZED VIEW
nCREATE PROCEDURE
nCREATE SEQUENCE
6 Note the database service name so you can use it when you configure network and database
connections.
To find the database service name, open the file $ORACLE_HOME/network/admin/tnsnames.ora on the
database server and look for an entry of the following form:
(SERVICE_NAME = orcl.example.com)
Configure a Microsoft SQL Server Database
SQL Server databases have specific configuration requirements when you use them with vCloud Director.
Install and configure a database instance, and create the vCloud Director database user account before you
install vCloud Director.
vCloud Director database performance is an important factor in overall vCloud Director performance and
scalability. vCloud Director uses the SQL Server tmpdb file when storing large result sets, sorting data, and
managing data that is being concurrently read and modified. This file can grow significantly when
vCloud Director is experiencing heavy concurrent load. It is a good practice to create the tmpdb file on a
dedicated volume that has fast read and write performance. For more information about the tmpdb file and
SQL Server performance, see http://msdn.microsoft.com/en-us/library/ms175527.aspx.
Prerequisites
nYou must be familiar with Microsoft SQL Server commands, scripting, and operation.
nTo configure Microsoft SQL Server, log on to the SQL Server host computer using administrator
credentials. You can configure SQL server to run with the LOCAL_SYSTEM identity, or any identity
with the privilege to run a Windows service.
Chapter 1 Overview of vCloud Director Installation, Configuration, and Upgrade
VMware, Inc. 15
Procedure
1 Configure the database server.
A database server configured with 16GB of memory, 100GB storage, and 4 CPUs should be adequate
for most vCloud Director clusters.
2 Specify Mixed Mode authentication during SQL Server setup.
Windows Authentication is not supported when using SQL Server with vCloud Director.
3 Create the database instance.
The following script creates the database and log files, specifying the proper collation sequence.
USE [master]
GO
CREATE DATABASE [vcloud] ON PRIMARY
(NAME = N'vcloud', FILENAME = N'C:\vcloud.mdf', SIZE = 100MB, FILEGROWTH = 10% )
LOG ON
(NAME = N'vcdb_log', FILENAME = N'C:\vcloud.ldf', SIZE = 1MB, FILEGROWTH = 10%)
COLLATE Latin1_General_CS_AS
GO
The values shown for SIZE are suggestions. You might need to use larger values.
4 Set the transaction isolation level.
The following script sets the database isolation level to READ_COMMITTED_SNAPSHOT.
USE [vcloud]
GO
ALTER DATABASE [vcloud] SET SINGLE_USER WITH ROLLBACK IMMEDIATE;
ALTER DATABASE [vcloud] SET ALLOW_SNAPSHOT_ISOLATION ON;
ALTER DATABASE [vcloud] SET READ_COMMITTED_SNAPSHOT ON WITH NO_WAIT;
ALTER DATABASE [vcloud] SET MULTI_USER;
GO
For more about transaction isolation, see http://msdn.microsoft.com/en-us/library/ms173763.aspx.
5 Create the vCloud Director database user account.
The following script creates database user name vcloud with password vcloudpass.
USE [vcloud]
GO
CREATE LOGIN [vcloud] WITH PASSWORD = 'vcloudpass', DEFAULT_DATABASE =[vcloud],
DEFAULT_LANGUAGE =[us_english], CHECK_POLICY=OFF
GO
CREATE USER [vcloud] for LOGIN [vcloud]
GO
6 Assign permissions to the vCloud Director database user account.
The following script assigns the db_owner role to the database user created in Step 5.
USE [vcloud]
GO
sp_addrolemember [db_owner], [vcloud]
GO
vCloud Director Installation and Upgrade Guide
16 VMware, Inc.
Create SSL Certificates
vCloud Director requires SSL to secure communications between clients and servers. Before you install and
configure a vCloud Director server group, you must create two certificates for each member of the group
and import the certificates into host keystores.
Each vCloud Director server requires two IP addresses, so that it can support two different SSL endpoints.
Each server requires two SSL certificates, one for each SSL endpoint.
NOTE All directories in the pathname to the SSL certificates must be readable by the user vcloud.vcloud.
This user is created by the vCloud Director installer.
Procedure
1 List the IP addresses for this server.
Use a command like ifconfig to discover this server's IP addresses.
2 For each IP address, run the following command to retrieve the fully qualified domain name to which
the IP address is bound.
nslookup ip-address
3 Make a note of each IP address, the fully qualified domain name associated with it, and whether
vCloud Director should use the address for the HTTP service or the console proxy service.
You need the fully qualified domain names when you create the certificates, and the IP addresses when
you configure network and database connections.
4 Create the certificates.
You can use certificates signed by a trusted certification authority, or self-signed certificates. Signed
certificates provide the highest level of trust. A 2,048-bit key length provides a high level of security.
Create and Import a Signed SSL Certificate
Signed certificates provide the highest level of trust for SSL communications.
Each vCloud Director server requires two SSL certificates, one for each of its IP addresses, in a Java keystore
file. You must create two SSL certificates for each server that you intend to use in your vCloud Director
server group. You can use certificates signed by a trusted certification authority, or self-signed certificates.
Signed certificates provide the highest level of trust.
To create and import self-signed certificates, see “Create a Self-Signed SSL Certificate,” on page 19.
Prerequisites
nGenerate a list of fully-qualified domain names and their associated IP addresses on this server, along
with a service choice for each IP address. See “Create SSL Certificates,” on page 17.
nVerify that you have access to a computer that has a Java version 6 runtime environment, so that you
can use the keytool command to create the certificate. The vCloud Director installer places a copy of
keytool in /opt/vmware/vcloud-director/jre/bin/keytool, but you can perform this procedure on any
computer that has a Java version 6 runtime environment installed. Certificates created with a keytool
from any other source are not supported for use with vCloud Director. Creating and importing the
certificates before you install and configure vCloud Director software simplifies the installation and
configuration process. These command-line examples assume that keytool is in the user's path. The
keystore password is represented in these examples as passwd.
Chapter 1 Overview of vCloud Director Installation, Configuration, and Upgrade
VMware, Inc. 17
Procedure
1 Create an untrusted certificate for the HTTP service.
This command creates an untrusted certificate in a keystore file named certificates.ks.
keytool -keystore certificates.ks -storetype JCEKS -storepass passwd -genkey -keyalg RSA -
alias http
The certificate is valid for 90 days.
2 Answer the keytool questions.
When keytool asks for your first and last name, type the fully qualified domain name associated with
the IP address you want to use for the HTTP service.
3 For the remaining questions, provide answers appropriate for your organization and location, as shown
in this example.
What is your first and last name? [Unknown]:mycloud.example.com
What is the name of your organizational unit? [Unknown]:Engineering
What is the name of your organization? [Unknown]:Example Corporation
What is the name of your City or Locality? [Unknown]:Palo Alto
What is the name of your State or Province? [Unknown]:California
What is the two-letter country code for this unit? [Unknown]:US
Is CN=mycloud.example.com, OU=Engineering, O="Example Corporation", L="Palo Alto",
ST=California, C=US correct?[no]:yes
Enter key password for <http> (RETURN if same as keystore password):
4 Create a certificate signing request for the HTTP service.
This command creates a certificate signing request in the file http.csr.
keytool -keystore certificates.ks -storetype JCEKS -storepass passwd -certreq -alias http -
file http.csr
5 Create an untrusted certificate for the console proxy service.
This command adds an untrusted certificate to the keystore file created in Step 1.
keytool -keystore certificates.ks -storetype JCEKS -storepass passwd -genkey -keyalg RSA -
alias consoleproxy
The certificate is valid for 90 days.
6 When keytool asks for your first and last name, type the fully-qualified domain name associated with
the IP address you want to use for the console proxy service.
7 For the remaining questions, provide answers appropriate for your organization and location, as shown
in the example in Step 3.
8 Create a certificate signing request for the console proxy service.
This command creates a certificate signing request in the file consoleproxy.csr.
keytool -keystore certificates.ks -storetype JCEKS -storepass passwd -certreq -alias
consoleproxy -file consoleproxy.csr
9 Send the certificate signing requests to your Certification Authority.
If your certification authority requires you to specify a Web server type, use Jakarta Tomcat.
vCloud Director Installation and Upgrade Guide
18 VMware, Inc.
10 When you receive the signed certificates, import them into the keystore file.
a Import the Certification Authority's root certificate into the keystore file.
This command imports the root certificate from the root.cer file to the certificates.ks keystore
file.
keytool -storetype JCEKS -storepass passwd -keystore certificates.ks -import -alias root
-file root.cer
b (Optional) If you received intermediate certificates, import them into the keystore file.
This command imports intermediate certificates from the intermediate.cer file to the
certificates.ks keystore file.
keytool -storetype JCEKS -storepass passwd -keystore certificates.ks -import -alias
intermediate -file intermediate.cer
c Import the certificate for the HTTP service.
This command imports the certificate from the http.cer file to the certificates.ks keystore file.
keytool -storetype JCEKS -storepass passwd -keystore certificates.ks -import -alias http
-file http.cer
d Import the certificate for the console proxy service.
This command imports the certificate from the consoleproxy.cer file to the certificates.ks
keystore file.
keytool -storetype JCEKS -storepass passwd -keystore certificates.ks -import -alias
consoleproxy -file consoleproxy.cer
11 To verify that all the certificates are imported, list the contents of the keystore file.
keytool -storetype JCEKS -storepass passwd -keystore certificates.ks -list
12 Repeat steps Step 1 through Step 11 on each of the remaining vCloud Director servers.
What to do next
If you created the certificates.ks keystore file on a computer other than the server on which you
generated the list of fully qualified domain names and their associated IP addresses, copy the keystore file to
that server now. You will need the keystore path name when you run the configuration script. See
“Configure Network and Database Connections,” on page 26.
NOTE Because the vCloud Director configuration script does not run with a privileged identity, the keystore
file and the directory in which it is stored must be readable by any user.
Create a Self-Signed SSL Certificate
Self-signed certificates can provide a convenient way to configure SSL for vCloud Director in environments
where trust concerns are minimal.
Each vCloud Director server requires two SSL certificates, one for each of its IP addresses, in a Java keystore
file. You must create two SSL certificates for each server that you intend to use in your vCloud Director
server group. You can use certificates signed by a trusted certification authority, or self-signed certificates.
Signed certificates provide the highest level of trust.
To create and import signed certificates, see “Create and Import a Signed SSL Certificate,” on page 17.
Prerequisites
nGenerate a list of fully-qualified domain names and their associated IP addresses on this server, along
with a service choice for each IP address. See “Create SSL Certificates,” on page 17.
Chapter 1 Overview of vCloud Director Installation, Configuration, and Upgrade
VMware, Inc. 19
nVerify that you have access to a computer that has a Java version 6 runtime environment, so that you
can use the keytool command to create the certificate. The vCloud Director installer places a copy of
keytool in /opt/vmware/vcloud-director/jre/bin/keytool, but you can perform this procedure on any
computer that has a Java version 6 runtime environment installed. Certificates created with a keytool
from any other source are not supported for use with vCloud Director. Creating and importing the
certificates before you install and configure vCloud Director software simplifies the installation and
configuration process. These command-line examples assume that keytool is in the user's path. The
keystore password is represented in these examples as passwd.
Procedure
1 Create an untrusted certificate for the HTTP service.
This command creates an untrusted certificate in a keystore file named certificates.ks.
keytool -keystore certificates.ks -storetype JCEKS -storepass passwd -genkey -keyalg RSA -
alias http
2 Create an untrusted certificate for the console proxy service.
This command adds an untrusted certificate to the keystore file created in Step 1.
keytool -keystore certificates.ks -storetype JCEKS -storepass passwd -genkey -keyalg RSA -
alias consoleproxy
The certificate is valid for 90 days.
3 To verify that all the certificates are imported, list the contents of the keystore file.
keytool -storetype JCEKS -storepass passwd -keystore certificates.ks -list
4 Repeat Step 1 through Step 3 on each of the remaining vCloud Director servers.
What to do next
If you created the certificates.ks keystore file on a computer other than the server on which you
generated the list of fully qualified domain names and their associated IP addresses, copy the keystore file to
that server now. You will need the keystore path name when you run the configuration script. See
“Configure Network and Database Connections,” on page 26.
NOTE Because the vCloud Director configuration script does not run with a privileged identity, the keystore
file and the directory in which it is stored must be readable by any user.
Installing and Configuring vShield Manager
vCloud Director depends on vShield Manager to provide network services to the cloud. Install and
configure vShield Manager before you begin installing vCloud Director. vShield Manager is included in the
VMware vCloud Networking and Security download.
You must associate each vCenter Server that you add to vCloud Director with a unique instance of vShield
Manager. For information about the network requirements and supported versions of vShield Manager, see
“vCloud Director Hardware and Software Requirements,” on page 8.
IMPORTANT This procedure applies only to new installations of vCloud Director. If you are upgrading an
existing installation of vCloud Director, you can optionally upgrade its associated vShield Manager
installation. A new release of vShield Manager cannot work with an existing release of vCloud Director. See
“Upgrade vShield Manager,” on page 40.
Prerequisites
For detailed information about vShield Manager, visit the VMware vCloud Networking and Security
Documentation Center at https://www.vmware.com/support/pubs/vshield_pubs.html.
vCloud Director Installation and Upgrade Guide
20 VMware, Inc.
Procedure
1 Use the vSphere Client to log in to your vCenter Server.
2 Select File > Deploy OVF Template.
3 Browse to the location of the vShield Manager.ovf file and follow the prompts to deploy the OVF file.
4 After the OVF file is deployed, power on the vShield Manager virtual machine and open the console.
5 Log in to the console with the user name admin and password default.
6 At the manager prompt, type enable.
7 At the Password prompt, type default to enable setup mode.
When setup mode is enabled, the prompt string changes to manager#.
8 At the manager# prompt, type setup to begin the setup procedure.
9 Enter the IP address, subnet mask, and default gateway for the vShield Manager virtual machine.
You need this information to attach a vCenter Server to Cloud Director.
10 Type exit to log out.
11 Close the console and leave the virtual machine running.
12 Synchronize vShield Manager with vCenter and register vShield Manager as a vSphere Client plug-in.
Follow the Log In to the vShield Manager User Interface and Set up vShield Manager procedures in the
vShield Installation and Upgrade Guide.
What to do next
Configure VXLAN support in vShield Manager. vCloud Director creates VXLAN network pools to provide
network resources to Provider VDCs. If VXLAN support has not been configured in vShield manager,
Provider VDCs will show a network pool error, and you will have to create a different type of network pool
and associate it with the Provider VDC. See the vShield Administration Guide for details about configuring
VXLAN support.
Installing and Configuring an AMQP Broker
AMQP, the Advanced Message Queuing Protocol, is an open standard for message queuing that supports
flexible messaging for enterprise systems. vCloud Director includes an AMQP service that you can
configure to work with an AMQP broker, such as RabbitMQ, to provide cloud operators with a stream of
notifications about events in the cloud. If you want to use this service, you must install and configure an
AMQP broker.
While use of an AMQP broker with vCloud Director is optional, a number of integrations use AMQP to
communicate with vCloud Director. Consult the installation and configuration documents for any
integrations you plan to use.
Procedure
1 Download the RabbitMQ Server from http://info.vmware.com/content/12834_rabbitmq.
2 Follow the RabbitMQ installation instructions to install RabbitMQ on any convenient host.
The RabbitMQ server host must be reachable on the network by each vCloud Director cell.
3 During the RabbitMQ installation, make a note of the values that you will need to supply when
configuring vCloud Director to work with this RabbitMQ installation.
nThe fully-qualified domain name of the RabbitMQ server host, for example amqp.example.com.
nA username and password that are valid for authenticating with RabbitMQ.
Chapter 1 Overview of vCloud Director Installation, Configuration, and Upgrade
VMware, Inc. 21
nThe port at which the broker listens for messages. The default is 5672.
nThe RabbitMQ virtual host. The default is "/".
What to do next
By default, the vCloud Director AMQP service sends unencrypted messages. If you configure it to encrypt
these messages using SSL, it verifies the broker's certificate by using the default JCEKS trust store of the Java
runtime environment on the vCloud Director server. The Java runtime environment is typically located in
the $JRE_HOME/lib/security/cacerts directory.
To use SSL with the vCloud Director AMQP service, select Use SSL on the AMQP Broker Settings section of
the Extensibility page of the vCloud Director Web console, and provide either of the following:
nan SSL certificate pathname
na JCEKS trust store pathname and password
If you do not need to validate the AMQP broker's certificate, you can select Accept all certificates.
Download and Install the VMware Public Key
The installation file is digitally signed. To verify the signature, you must download and install the VMware
public key.
You can use the Linux rpm tool and the VMware public key to verify the digital signature of the
vCloud Director installation file, or any other signed downloaded file from vmware.com. If you install the
public key on the computer where you plan to install vCloud Director, the verification happens as part of
the installation or upgrade. You can also manually verify the signature before you begin the installation or
upgrade procedure, then use the verified file for all installations or upgrades.
NOTE The download site also publishes a checksum value for the download. The checksum is published in
two common forms. Verifying the checksum verifies that the file contents that you downloaded are the
same as the contents that were posted. It does not verify the digital signature.
Procedure
1 Obtain and import the VMware Packaging Public Keys.
a Create a directory to store the VMware Packaging Public Keys.
b Use a Web browser to download all of the VMware Public Packaging Public Keys from the
http://packages.vmware.com/tools/keys directory.
c Save the key files to the directory that you created.
d For each key that you download, run the following command to import the key.
# rpm --import /key_path/key_name
key_path is the directory in which you saved the keys.
key_name is the filename of a key.
2 (Optional) Use the Linux rpm tool to verify the digital signature of the downloaded file.
# rpm --checksig installation-file
After you verify the digital signature of the file, you can use it to install or upgrade vCloud Director on
any server, without having to install the public key on that server. The installer warns you if no key is
installed. You can ignore the warning if you already verified the signature of the file.
vCloud Director Installation and Upgrade Guide
22 VMware, Inc.
Creating a vCloud Director Server
Group 2
A vCloud Director server group consists of one or more vCloud Director servers that share a common
database and other configuration details. To create a server group, you install and configure
vCloud Director software on the first member of the group. Installation and configuration of the first group
member creates a response file that you use to configure additional members of the group.
Prerequisites for Creating a vCloud Director Server Group
IMPORTANT This procedure is for new installations only. If you are upgrading an existing vCloud Director
installation, see Chapter 3, “Upgrading vCloud Director,” on page 33
Before you begin installing and configuring vCloud Director, complete all of the following tasks.
1 Verify that a supported vCenter server is running and properly configured for use with
vCloud Director. For supported versions and configuration requirements, see “Supported Platforms,”
on page 8.
2 Verify that a supported vShield Manager server is running and properly configured for use with
vCloud Director. For supported versions, see “Supported Platforms,” on page 8. For installation and
configuration details, see “Installing and Configuring vShield Manager,” on page 20.
3 Verify that you have at least one supported vCloud Director server platform running and configured
with an appropriate amount of memory and storage. For supported platforms and configuration
requirements, see “Supported vCloud Director Server Operating Systems,” on page 9.
nEach member of a server group requires two IP addresses: one to support an SSL connection for the
HTTP service and another for the console proxy service.
nEach server must have an SSL certificate for each IP address. All directories in the pathname to the
SSL certificates must be readable by any user. See “Create SSL Certificates,” on page 17.
nFor the transfer service, each server must mount an NFS or other shared storage volume
at /opt/vmware/vcloud-director/data/transfer. This volume must have write permission for root.
See “Summary of Network Configuration Requirements for vCloud Director,” on page 12.
nEach server should have access to a Microsoft Sysprep deployment package. See “Install Microsoft
Sysprep Files on the Servers,” on page 31.
4 Verify that you have created a vCloud Director database and that it is accessible to all servers in the
group. For a list of supported database software, see “Supported vCloud Director Databases,” on
page 10.
nVerify that you have created a database account for the vCloud Director database user and that the
account has all required database privileges. See “Installing and Configuring a vCloud Director
Database,” on page 14.
VMware, Inc. 23
nVerify that the database service starts when the database server is rebooted.
5 Verify that all vCloud Director servers, the database server, and all vCenter and vShield Manager
servers can resolve each other's names as described in “Summary of Network Configuration
Requirements for vCloud Director,” on page 12.
6 Verify that all vCloud Director servers and the database server are synchronized to a network time
server with the tolerances noted in “Summary of Network Configuration Requirements for vCloud
Director,” on page 12.
7 If you plan to import users or groups from an LDAP service, verify that the service is accessible to each
vCloud Director server.
8 Open firewall ports as shown in “Network Security Recommendations,” on page 13. Port 443 must be
open between vCloud Director and vCenter servers.
This chapter includes the following topics:
n“Install and Configure vCloud Director Software on the First Member of a Server Group,” on
page 24
n“Configure Network and Database Connections,” on page 26
n“Install vCloud Director Software on Additional Members of a Server Group,” on page 29
n“Install Microsoft Sysprep Files on the Servers,” on page 31
n“Start or Stop vCloud Director Services,” on page 32
n“Uninstall vCloud Director Software,” on page 32
Install and Configure vCloud Director Software on the First Member of
a Server Group
All members of a vCloud Director share database connection and other configuration details that you
specify when installing and configuring the first member of the group. These details are captured in a
response file that you must use when adding members to the group.
vCloud Director software is distributed as a digitally signed Linux executable file named vmware-vcloud-
director-5.5.0-nnnnnn.bin, where nnnnnn represents a build number.
The vCloud Director installer verifies that the target server meets all platform prerequisites and installs
vCloud Director software on it. After the software is installed on the target server, you must run a script that
configures the server's network and database connections. This script creates a response file that you must
use when configuring addiitonal members of this server group.
Prerequisites
nVerify that the target server and the network it connects to meet the requirements specified in
“Summary of Network Configuration Requirements for vCloud Director,” on page 12.
nVerify that you have superuser credentials for the target server.
nVerify that the target server mounts the shared transfer service storage volume at /opt/vmware/vcloud-
director/data/transfer.
nTo have the installer verify the digital signature of the installation file, download and install the
VMware public key on the target server. If you already verified the digital signature of the installation
file, you do not need to verify it again during installation. See “Download and Install the VMware
Public Key,” on page 22.
Procedure
1 Log in to the target server as root.
vCloud Director Installation and Upgrade Guide
24 VMware, Inc.
2 Download the installation file to the target server.
If you purchased the software on a CD or other media, copy the installation file to a location that is
accessible to all target servers.
3 Verify that the checksum of the download matches the one posted on the download page.
Values for MD5 and SHA1 checksums are posted on the download page. Use the appropriate tool to
verify that the checksum of the downloaded installation file matches the one shown on the download
page. A Linux command of the following form validates the checksum for installation-file using the MD5
checksum-value copied from the download page.
[root@cell1 /tmp]# md5sum -c checksum-value installation-file
4 Ensure that the installation file is executable.
The installation file requires execute permission. To be sure that it has this permission, open a console,
shell, or terminal window and run the following Linux command, where installation-file is the full
pathname to the vCloud Director installation file.
[root@cell1 /tmp]# chmod u+x installation-file
5 In a console, shell, or terminal window, run the installation file.
To run the installation file, type its full pathname, for example:
[root@cell1 /tmp]# ./installation-file
The file includes an installation script and an embedded RPM package.
NOTE You cannot run the installation file from a directory whose pathname includes any embedded
space characters.
The installer prints a warning of the following form if you have not installed the VMware public key on
the target server.
warning:installation-file.rpm: Header V3 RSA/SHA1 signature: NOKEY, key ID 66fd4949
When the installer runs, it takes these actions:
a verifies that the host meets all requirements
b verifies the digital signature on the installation file
c creates the vcloud user and group
d unpacks the vCloud Director RPM package
e installs the software
After the software is installed, the installer prompts you to run the configuration script, which
configures the server's network and database connections.
What to do next
Decide whether to run the configuration script.
nIf you have completed the prerequisites listed in “Prerequisites for Creating a vCloud Director Server
Group,” on page 23, you can run the configuration script now. Type y and press Enter.
nIf you are not ready to run the configuration script now, type n and press Enter to exit to the shell.
For more information about running the configuration script, see “Configure Network and Database
Connections,” on page 26.
Chapter 2 Creating a vCloud Director Server Group
VMware, Inc. 25
Configure Network and Database Connections
After vCloud Director software is installed on the server, the installer prompts you to run a script that
configures the server's network and database connections.
You must install vCloud Director software on the server before you can run the configuration script. The
installer prompts you to run the script after installation is complete, but you can choose to run it later.
To run the script after the vCloud Director software is installed, log in as root, open a console, shell, or
terminal window, and type:
/opt/vmware/vcloud-director/bin/configure
The configuration script creates network and database connections for a single vCloud Director server. The
script also creates a response file that preserves database connection information for use in subsequent
server installations.
NOTE After you run the configuration script to configure the first member of the server group, you must
use the -r option and specify the response file pathname when configuring additional members of the
group. See “Protecting and Reusing the Response File,” on page 29.
Prerequisites
nVerify that a database of a supported type is accessible from the vCloud Director server. See “Installing
and Configuring a vCloud Director Database,” on page 14 and “vCloud Director Hardware and
Software Requirements,” on page 8.
nHave the following information available:
nLocation and password of the keystore file that includes the SSL certificates for this server. See
“Create and Import a Signed SSL Certificate,” on page 17. The configuration script does not run
with a privileged identity, so the keystore file and the directory in which it is stored must be
readable by any user.
nPassword for each SSL certificate.
nHostname or IP address of the database server.
nDatabase name and connection port.
nDatabase user credentials (user name and password). This user must have specific database
privileges. See “Installing and Configuring a vCloud Director Database,” on page 14.
Procedure
1 Specify the IP addresses to use for the HTTP and console proxy services running on this host.
Each member of a server group requires two IP addresses, so that it can support two different SSL
connections: one for the HTTP service and another for the console proxy service. To begin the
configuration process, choose which of the IP addresses discovered by the script should be used for
each service.
Please indicate which IP address available on this machine should be used
for the HTTP service and which IP address should be used for the remote console proxy.
The HTTP service IP address is used for accessing the user interface and the REST API.
The remote console proxy IP address is used for all remote console (VMRC) connections
and traffic.
Please enter your choice for the HTTP service IP address:
1: 10.17.118.158
2: 10.17.118.159
vCloud Director Installation and Upgrade Guide
26 VMware, Inc.
Choice [default=1]:2
Please enter your choice for the remote console proxy IP address
1: 10.17.118.158
Choice [default=1]:
2 Specify the full path to the Java keystore file.
Please enter the path to the Java keystore containing your SSL certificates and
private keys:/opt/keystore/certificates.ks
3 Type the keystore and certificate passwords.
Please enter the password for the keystore:
Please enter the private key password for the 'http' SSL certificate:
Please enter the private key password for the 'consoleproxy' SSL certificate:
4 Configure audit message handling options.
Services in each vCloud Director cell log audit messages to the vCloud Director database, where they
are preserved for 90 days. To preserve audit messages longer, you can configure vCloud Director
services to send audit messages to the syslog utility in addition to the vCloud Director database.
Option Action
To log audit messages to both
syslog and the vCloud Director
database.
Type the syslog hostname or IP address.
To log audit messages only to the
vCloud Director database
Press Enter.
If you would like to enable remote audit logging to a syslog
host please enter the hostname or IP address of the syslog server. Audit logs are stored by
vCloud Director for 90 days. Exporting logs via syslog will enable you to
preserve them for as long as necessary.
Syslog host name or IP address [press Enter to skip]:10.150.10.10
5 Specify the port on which the syslog process monitors the specified server.
The default is port 514.
What UDP port is the remote syslog server listening on? The
standard syslog port is 514. [default=514]:
Using default value "514" for syslog port.
6 Specify the database type, or press Enter to accept the default value.
The following database types are supported:
1. Oracle
2. Microsoft SQL Server
Enter the database type [default=1]:
Using default value "1" for database type.
Chapter 2 Creating a vCloud Director Server Group
VMware, Inc. 27
7 Specify database connection information.
The information that the script requires depends on your choice of database type. This example shows
the prompts that follow specification of an Oracle database. Prompts for other database types are
similar.
a Type the hostname or IP address of the database server.
Enter the host (or IP address) for the database:10.150.10.78
b Type the database port, or press Enter to accept the default value.
Enter the database port [default=1521]:
Using default value "1521" for port.
c Type the database service name.
Enter the database service name [default=oracle]:orcl.example.com
If you press Enter, the configuration script uses a default value, which might not be correct for
some installations. For information about how to find the database service name for an Oracle
database, see “Configure an Oracle Database,” on page 14.
d Type the database user name and password.
Enter the database username:vcloud
Enter the database password:
The script validates the information you supplied, then continues with three more steps.
1 It initializes the database and connects this server to it.
2 It offers to start vCloud Director services on this host.
3 It displays a URL at which you can connect to the Setup wizard after vCloud Director service starts.
This fragment shows a typical completion of the script.
Connecting to the database: jdbc:oracle:thin:vcloud/vcloud@10.150.10.78:1521/vcloud
...........
Database configuration complete.
Once the vCloud Director server has been started you will be able to
access the first-time setup wizard at this URL:
http://vcloud.example.com
Would you like to start the vCloud Director service now? If you choose not
to start it now, you can manually start it at any time using this command:
service vmware-vcd start
Start it now? [y/n]:y
Starting the vCloud Director service (this may take a moment).
The service was started; it may be several minutes before it is ready for use.
Please check the logs for complete details.
vCloud Director configuration is now complete. Exiting...
What to do next
NOTE Database connection information and other reusable responses you supplied during configuration
are preserved in a file located at /opt/vmware/vcloud-director/etc/responses.properties on this server.
This file contains sensitive information that you must reuse when you add more servers to a server group.
Preserve the file in a secure location, and make it available only when needed.
vCloud Director Installation and Upgrade Guide
28 VMware, Inc.
To add more servers to this group, see “Install vCloud Director Software on Additional Members of a Server
Group,” on page 29.
After vCloud Director services are running on all servers, you can open the Setup wizard at the URL
displayed when the script completes. See Chapter 4, “vCloud Director Setup,” on page 43.
Protecting and Reusing the Response File
Network and database connection details that you supply when you configure the first vCloud Director
server are saved in a response file. This file contains sensitive information that you must reuse when you
add more servers to a server group. Preserve the file in a secure location, and make it available only when
needed.
The response file is created at /opt/vmware/vcloud-director/etc/responses.properties on the first server
for which you configure network and database connections. When you add more servers to the group, you
must use a copy of the response file to supply configuration parameters that all servers share.
Procedure
1 Protect the response file.
Save a copy of the file in a secure location. Restrict access to it, and make sure it is backed up to a secure
location. When you back up the file, avoid sending cleartext across a public network.
2 Reuse the response file.
a Copy the file to a location accessible to the server you are ready to configure.
NOTE You must install vCloud Director software on a server before you can reuse the response file
to configure it. All directories in the pathname to the response file must be readable by the user
vcloud.vcloud, as shown in this example.
[root@cell1 /tmp]# ls -l responses.properties
-rw------- 1 vcloud vcloud 418 Jun 8 13:42 responses.properties
The installer creates this user and group.
bRun the configuration script, using the -r option and specifying the response file pathname.
Log in as root, open a console, shell, or terminal window, and type:
[root@cell1 /tmp]# /opt/vmware/vcloud-director/bin/configure -r /path-to-response-file
What to do next
After you configure the additional servers, delete the copy of the response file you used to configure them.
Install vCloud Director Software on Additional Members of a Server
Group
You can add servers to a vCloud Director server group at any time. Because all servers in a server group
must be configured with the same database connection details, you must use the response file created when
you configured the first member of the group to supply this information when you configure additional
members.
Prerequisites
nVerify that you can access the response file that was created when you installed and configured the first
member of this server group. See “Protecting and Reusing the Response File,” on page 29.
nVerify that the vCloud Director database is accessible from this server.
Chapter 2 Creating a vCloud Director Server Group
VMware, Inc. 29
nVerify that the SSL certificates that you created for this server are installed in a location that the installer
can access. See “Create and Import a Signed SSL Certificate,” on page 17. The configuration script does
not run with a privileged identity, so the keystore file and the path in which it is stored must be
readable by any user. Using the same keystore path (for example, /tmp/certificates.ks) on all
members of a server group simplifies the installation process.
nHave the following information available:
nThe password of the keystore file that includes the SSL certificates for this server.
nPassword for each SSL certificate.
Procedure
1 Log in to the target server as root.
2 Download the installation file to the target server.
If you purchased the software on a CD or other media, copy the installation file to a location that is
accessible to all target servers.
3 Ensure that the installation file is executable.
The installation file requires execute permission. To be sure that it has this permission, open a console,
shell, or terminal window and run the following Linux command, where installation-file is the full
pathname to the vCloud Director installation file.
[root@cell1 /tmp]# chmod u+x installation-file
4 Copy the response file to a location accessible to this server.
All directories in the pathname to the response file must be readable by root.
5In a console, shell, or terminal window, run the installation file using the -r option and specifying the
response file pathname.
To run the installation file, type its full pathname, for example:
[root@cell1 /tmp]# ./installation-file -r /path-to-response-file
The file includes an installation script and an embedded RPM package.
NOTE You cannot run the installation file from a directory whose pathname includes any embedded
space characters.
The installer prints a warning of the following form if you have not installed the VMware public key on
the target server.
warning:installation-file.rpm: Header V3 RSA/SHA1 signature: NOKEY, key ID 66fd4949
When the installer runs with the -r option, it takes these actions:
a verifies that the host meets all requirements
b verifies the digital signature on the installation file
c creates the vcloud user and group
d unpacks the vCloud Director RPM package
e installs the software
f copies the response file to a location readable by vcloud.vcloud
g runs the configuration script using the response file as input
vCloud Director Installation and Upgrade Guide
30 VMware, Inc.
When the configuration script runs, it looks for the certificates in the path saved in the response file (for
example, /tmp/certificates.ks) , then prompts you to supply the keystore and certificate passwords. If
the configuration script does not find valid certificates in the pathname saved in the response file, it
prompts you for a pathname to the certificates.
6 (Optional) Repeat this procedure to add more servers to this server group.
What to do next
If your cloud needs to support guest customization for certain older Microsoft operating systems, install
Sysprep files on all members of the server group. See “Install Microsoft Sysprep Files on the Servers,” on
page 31.
After the configuration script finishes and vCloud Director services are running on all servers, you can open
the Setup wizard at the URL that appears when the script completes. See Chapter 4, “vCloud Director
Setup,” on page 43.
Install Microsoft Sysprep Files on the Servers
Before vCloud Director can perform guest customization on virtual machines with certain older Windows
guest operating systems, you must install the appropriate Microsoft Sysprep files on each member of the
server group.
Sysprep files are required only for some older Microsoft operating systems. If your cloud does not need to
support guest customization for those operating systems, you do not need to install Sysprep files.
To install the Sysprep binary files, you copy them to a specific location on the server. You must copy the
files to each member of the server group.
Prerequisites
Verify that you have access to the 32- and 64-bit Sysprep binary files for Windows 2003 and Windows XP.
Procedure
1 Log in to the target server as root.
2 Change directory to $VCLOUD_HOME/guestcustomization/default/windows.
[root@cell1 /]# cd /opt/vmware/vcloud-director/guestcustomization/default/windows
3 Create a directory named sysprep.
[root@cell1 /opt/vmware/vcloud-director/guestcustomization/default/windows]# mkdir sysprep
4 For each guest operating system that requires Sysprep binary files, create a subdirectory of
$VCLOUD_HOME/guestcustomization/default/windows/sysprep.
Subdirectory names are specific to a guest operating system.
Table 21. Subdirectory Assignments for Sysprep Files
Guest OS
Subdirectory to Create Under
$VCLOUD_HOME/guestcustomization/default/windows/sysprep
Windows 2003 (32-bit) svr2003
Windows 2003 (64-bit) svr2003-64
Windows XP (32-bit) xp
Windows XP (64-bit) xp-64
For example, to create a subdirectory to hold Sysprep binary files for Windows XP, use the following
Linux command.
[root@cell1 /opt/vmware/vcloud-director/guestcustomization/default/windows]# mkdir sysprep/xp
Chapter 2 Creating a vCloud Director Server Group
VMware, Inc. 31
5 Copy the Sysprep binary files to the appropriate location on each vCloud Director server in the server
group.
6 Ensure that the Sysprep files are readable by the user vcloud.vcloud.
Use the Linux chown command to do this.
[root@cell1 /]# chown -R vcloud.vcloud $VCLOUD_HOME/guestcustomization
When the Sysprep files are copied to all members of the server group, you can perform guest customization
on virtual machines in your cloud. You do not need to restart vCloud Director after the Sysprep files are
copied.
Start or Stop vCloud Director Services
After you complete installation and database connection setup on a server, you can start vCloud Director
services on it. You can also stop these services if they are running.
The configuration script prompts you to start vCloud Director services. You can let the script start these
services for you, or you can start the services yourself later. These services must be running before you can
complete and initialize the installation.
vCloud Director services start whenever you reboot a server.
IMPORTANT If you are stopping vCloud Director services as part of a vCloud Director software upgrade, you
must use the cell management tool, which allows you to quiesce the cell before stopping services. See “Use
the Cell Management Tool to Quiesce and Shut Down a Server,” on page 35.
Procedure
1 Log in to the target server as root.
2 Start or stop services.
Option Action
Start services Open a console, shell, or terminal window and run the following
command.
service vmware-vcd start
Stop services when the cell is in
use
Use the cell management tool.
Stop services when the cell is not in
use
Open a console, shell, or terminal window and run the following
command.
service vmware-vcd stop
Uninstall vCloud Director Software
Use the Linux rpm command to uninstall vCloud Director software from an individual server.
Procedure
1 Log in to the target server as root.
2 Unmount the transfer service storage, typically mounted at /opt/vmware/vcloud-
director/data/transfer.
3 Open a console, shell, or terminal window and run the rpm command.
rpm -e vmware-vcloud-director
vCloud Director Installation and Upgrade Guide
32 VMware, Inc.
Upgrading vCloud Director 3
To upgrade vCloud Director to a new version, install the new version on each server in the vCloud Director
server group, upgrade the vCloud Director database, and restart vCloud Director services. You must also
upgrade the vSphere components that support vCloud Director, including vShield Manager.
After you upgrade a vCloud Director server, you must also upgrade its vCloud Director database. The
database stores information about the runtime state of the server, including the state of all vCloud Director
tasks it is running. To ensure that no invalid task information remains in the database after an upgrade, you
must ensure that no tasks are active on the server before you begin the upgrade.
IMPORTANT The upgrade process requires you to upgrade vCloud Director, vShield Manager, vCenter, and
all hosts. You must prevent users from accessing vCloud Director until the vShield Manager upgrade step is
complete.
The upgrade preserves the following artifacts:
nLocal and global properties files are copied to the new installation.
nMicrosoft sysprep files used for guest customization are copied to the new installation.
If you use a load balancer to distribute client requests across members of your vCloud Director server
group, you can upgrade a subset of the server group while keeping existing services available on the others.
If you do not have a load balancer, the upgrade requires sufficient vCloud Director downtime to upgrade
the database and at least one server. You might also have to upgrade registered vCenter servers if they are
not running a compatible version of vCenter software. Upgrading vCenter servers and ESXi hosts can incur
additional vCloud Director downtime, because virtual machines are inaccessible while their hosts or
vCenter server are being upgraded.
Upgrading a vCloud Director Server Group
1 Disable user access to vCloud Director. You can also display a maintenance message while the upgrade
is underway. See “Displaying the Maintenance Message During an Upgrade,” on page 35.
2 Use the cell management tool to quiesce all cells in the server group and shut down vCloud Director
services on each server. See “Use the Cell Management Tool to Quiesce and Shut Down a Server,” on
page 35.
3 Upgrade vCloud Director software on all members of the server group. See “Upgrade vCloud Director
Software on Any Member of a Server Group,” on page 36. You can upgrade the servers individually
or in parallel, but you must not restart vCloud Director services on any upgraded member of the group
before you upgrade the vCloud Director database.
4 Upgrade the vCloud Director database. See “Upgrade the vCloud Director Database,” on page 38.
5 Restart vCloud Director on the upgraded servers. See “Start or Stop vCloud Director Services,” on
page 32.
VMware, Inc. 33
6 Upgrade vShield Manager. All vShield Manager installations registered to this server group must be
upgraded to a version of vShield Manager software that is compatible with the version of
vCloud Director installed by the upgrade. If the upgrade program detects an incompatible version of
vShield Manager, upgrading is not allowed. You must upgrade to the latest version of vShield manager
listed in “Supported Platforms,” on page 8 to use networking features introduced in this release of
vCloud Director. See “Upgrade vShield Manager,” on page 40.
7 Enable user access to vCloud Director.
8 Upgrade vCenter servers and hosts. See “Upgrade vCenter, Hosts, and vShield Edge Appliances,” on
page 40. All vCenter servers registered to this server group must be upgraded to a version of vCenter
software that is compatible with the version of vCloud Director installed by the upgrade. Incompatible
vCenter servers become inaccessible from vCloud Director after the upgrade is complete. See
“Supported Platforms,” on page 8.
Using a Load Balancer to Reduce Service Downtime
If you are using a load balancer or other tool that can force requests to go to specific servers, you can
upgrade a subset of the server group while keeping existing services available on the remaining subset. This
approach reduces vCloud Director service downtime to the length of time required to upgrade the
vCloud Director database. Users might experience some degradation of performance during the upgrade,
but in-progress tasks continue to run as long as any subset of the server group is operational. Console
sessions might be interrupted, but you can restart them.
1 Use the load balancer to redirect vCloud Director requests to a subset of the servers in the group.
Follow the procedures recommended by your load balancer.
2 Use the cell management tool to quiesce the cells that are no longer handling requests and shut down
vCloud Director services on those servers.
NOTE Console sessions routed through a server's console proxy are interrupted when the server shuts
down. Clients can refresh the console window to recover.
See “Use the Cell Management Tool to Quiesce and Shut Down a Server,” on page 35.
3 Upgrade vCloud Director software on the members of the server group on which you have stopped
vCloud Director, but do not restart those services. See “Upgrade vCloud Director Software on Any
Member of a Server Group,” on page 36.
4 Use the cell management tool to quiesce the cells that you have not yet upgraded and shut down
vCloud Director services on those servers.
5 Upgrade the vCloud Director database. See “Upgrade the vCloud Director Database,” on page 38.
6 Restart vCloud Director on the upgraded servers. See “Start or Stop vCloud Director Services,” on
page 32.
7 Upgrade vShield Manager. See “Upgrade vShield Manager,” on page 40.
8 Upgrade vCenter servers and hosts. See “Upgrade vCenter, Hosts, and vShield Edge Appliances,” on
page 40.
9 Use the load balancer to redirect vCloud Director requests to the upgraded servers.
10 Upgrade vCloud Director software on the remaining servers in the group, and restart vCloud Director
on those servers as the upgrades complete. See “Upgrade vCloud Director Software on Any Member of
a Server Group,” on page 36.
vCloud Director Installation and Upgrade Guide
34 VMware, Inc.
Displaying the Maintenance Message During an Upgrade
If you anticipate a lengthy upgrade process and want to have the system display a maintenance message
while the upgrade is underway, verify that at least one cell remains accessible while the others are being
upgraded. Run the /opt/vmware/vcloud-director/bin/vmware-vcd-cell command on that cell to turn on the
cell maintenance message.
[root@cell1 /opt/vmware/vcloud-director/bin]# ./vmware-vcd-cell maintenance
You can run this command on a cell before or after it is upgraded. When you are ready to upgrade the cell
or return an upgraded cell to service, run the following command on the cell to turn off the maintenance
message.
[root@cell1 /opt/vmware/vcloud-director/bin]# ./vmware-vcd-cell stop
This chapter includes the following topics:
n“Use the Cell Management Tool to Quiesce and Shut Down a Server,” on page 35
n“Upgrade vCloud Director Software on Any Member of a Server Group,” on page 36
n“Upgrade the vCloud Director Database,” on page 38
n“Upgrade vShield Manager,” on page 40
n“Upgrade vCenter, Hosts, and vShield Edge Appliances,” on page 40
Use the Cell Management Tool to Quiesce and Shut Down a Server
Before you upgrade a vCloud Director server, use the cell management tool to quiesce and shut down
vCloud Director services on the server's cell.
vCloud Director creates a task object to track and manage each asynchronous operation that a user requests.
Information about all running and recently completed tasks is stored in the vCloud Director database.
Because a database upgrade invalidates this task information, you must be sure that no tasks are running
when you begin the upgrade process.
With the cell management tool, you can suspend the task scheduler so that new tasks cannot be started, then
check the status of all active tasks. You can wait for running tasks to finish or log in to vCloud Director as a
system administrator and cancel them. See Chapter 5, “Cell Management Tool Reference,” on page 47.
When no tasks are running, you can use the cell management tool to stop vCloud Director services.
Prerequisites
nVerify that you have superuser credentials for the target server.
nVerify that you have vCloud Director system administrator credentials.
nIf this cell will be accessible to vCloud Director clients while it is being upgraded, use
the /opt/vmware/vcloud-director/bin/vmware-vcd-cell command to turn on the cell maintenance
message.
[root@cell1 /opt/vmware/vcloud-director/bin]# ./vmware-vcd-cell maintenance
This command causes the cell to respond to all requests with a maintenance message. If you use a load
balancer or similar tool to make the cell inaccessible during the upgrade, you do not need to to turn on
the cell maintenance message.
Procedure
1 Log in to the target server as root.
Chapter 3 Upgrading vCloud Director
VMware, Inc. 35
2 Use the cell management tool to gracefully shut down the cell.
a Retrieve the current job status.
The following cell-management-tool command supplies system administrator credentials and
returns the count of running jobs.
[root@cell1 /opt/vmware/vcloud-
director/bin]# ./cell-management-tool -u administrator cell --status
Job count = 3
Is Active = true
b Stop the task scheduler to quiesce the cell.
Use a cell-management-tool command of the following form.
[root@cell1 /opt/vmware/vcloud-
director/bin]# ./cell-management-tool -u administrator cell --quiesce true
This command prevents new jobs from being started. Existing jobs continue to run until they finish
or are cancelled. To cancel a job, use the vCloud Director Web Console or the REST API.
c When the Job count value is 0 and the Is Active value is false, it is safe to shut down the cell.
Use a cell-management-tool command of the following form.
[root@cell1 /opt/vmware/vcloud-
director/bin]# ./cell-management-tool -u administrator cell --shutdown
NOTE You can supply the vCloud Director system administrator password on the cell-
management-tool command line, but it is more secure to omit the password. This causes the cell-
management-tool to prompt for the password, which it does not display on the screen as you type.
Console sessions routed through a server's console proxy are interrupted when the server shuts
down. If other members of the server group are still active, clients can refresh the console window
to recover.
What to do next
After the cell management tool stops vCloud Director services on this server, you can upgrade the server's
vCloud Director software or complete other maintenance that the server requires.
Upgrade vCloud Director Software on Any Member of a Server Group
The vCloud Director installer verifies that the target server meets all upgrade prerequisites and upgrades
the vCloud Director software on the server.
vCloud Director software is distributed as a Linux executable file named vmware-vcloud-director-5.5.0-
nnnnnn.bin, where nnnnnn represents a build number. After the upgrade is installed on a member of a
server group, you must run a tool that upgrades the vCloud Director database that the group uses before
you can restart vCloud Director services on the upgraded server.
Prerequisites
nVerify that you have superuser credentials for the target server.
nTo have the installer verify the digital signature of the installation file, download and install the
VMware public key on the target server. If you already verified the digital signature of the installation
file, you do not need to verify it again during installation. See “Download and Install the VMware
Public Key,” on page 22.
nUse the cell management tool to quiesce and shut down vCloud Director services on the server's cell.
vCloud Director Installation and Upgrade Guide
36 VMware, Inc.
Procedure
1 Log in to the target server as root.
2 Download the installation file to the target server.
If you purchased the software on a CD or other media, copy the installation file to a location that is
accessible to all target servers.
3 Verify that the checksum of the download matches the one posted on the download page.
Values for MD5 and SHA1 checksums are posted on the download page. Use the appropriate tool to
verify that the checksum of the downloaded installation file matches the one shown on the download
page. A Linux command of the following form validates the checksum for installation-file using the MD5
checksum-value copied from the download page.
[root@cell1 /tmp]# md5sum -c checksum-value installation-file
4 Ensure that the installation file is executable.
The installation file requires execute permission. To be sure that it has this permission, open a console,
shell, or terminal window and run the following Linux command, where installation-file is the full
pathname to the vCloud Director installation file.
[root@cell1 /tmp]# chmod u+x installation-file
5 Use the cell management tool to quiesce the cell and shut down vCloud Director services on the server.
See “Use the Cell Management Tool to Quiesce and Shut Down a Server,” on page 35.
6 In a console, shell, or terminal window, run the installation file.
To run the installation file, type its full pathname, for example ./installation-file. The file includes
an installation script and an embedded RPM package.
NOTE You cannot run the installation file from a directory whose pathname includes any embedded
space characters.
If the installer detects a version of vCloud Director installed on this server that is equal to or later than
the version in the installation file, it displays an error message and exits. Otherwise, it prompts you to
confirm that you are ready to upgrade this server.
Checking architecture...done
Checking for a supported Linux distribution...done
Checking for necessary RPM prerequisites...done
Checking free disk space...done
An older version of VMware vCloud Director has been detected. Would you like
to upgrade it? The installer will stop the vmware-vcd service,
back up any configuration files from the previous release and migrate the
product configuration as necessary.
7 Respond to the upgrade prompt.
Option Action
Continue the upgrade. Type y.
Exit to the shell without making any
changes in the current installation.
Type n.
Chapter 3 Upgrading vCloud Director
VMware, Inc. 37
After you confirm that you are ready to upgrade the server, the installer verifies that the host meets all
requirements, unpacks the vCloud Director RPM package, stops vCloud Director services on the server,
and upgrades the installed vCloud Director software.
Would you like to upgrade now? (y/n) y
Extracting vmware-vcloud-director ......done
Upgrading VMware vCloud Director...
Installing the VMware vCloud Director
Preparing... ##################################################
vmware-vcloud-director ##################################################
Migrating settings and files from previous release...done
Migrating in-progress file transfers to /opt/vmware/vcloud-director/data/transfer...done
Uninstalling previous release...done
The installer prints a warning of the following form if you did not install the VMware public key on the
target server.
warning:installation-file.rpm: Header V3 RSA/SHA1 signature: NOKEY, key ID 66fd4949
8 (Optional) Update logging properties.
After an upgrade, new logging properties are written to the file /opt/vmware/vcloud-
director/etc/log4j.properties.rpmnew.
Option Action
If you did not change existing
logging properties
Copy this file to /opt/vmware/vcloud-
director/etc/log4j.properties.
If you changed logging properties Merge /opt/vmware/vcloud-
director/etc/log4j.properties.rpmnew file with the
existing /opt/vmware/vcloud-director/etc/log4j.properties.
Merging these files preserves your changes.
When the vCloud Director software upgrade is complete, the installer displays a message indicating where
the old configuration files are stored, then reminds you to run the database upgrade tool.
What to do next
nIf you have not already done so, upgrade the vCloud Director database that this server uses.
nIf you already upgraded the vCloud Director database that this server group uses, you can restart the
upgraded server. See “Start or Stop vCloud Director Services,” on page 32.
Upgrade the vCloud Director Database
After you upgrade a server in your vCloud Director server group, you must upgrade the group's
vCloud Director database before you restart vCloud Director services on the server.
All servers in a vCloud Director server group share the same database, so regardless of how many servers
you are upgrading, you need to upgrade the database only once. After the database is upgraded,
vCloud Director servers cannot connect to it until they, too, are upgraded.
Prerequisites
IMPORTANT Back up your existing database before you upgrade it. Use the procedures that your database
software vendor recommends.
Verify that all vCloud Director cells are inactive. See “Use the Cell Management Tool to Quiesce and Shut
Down a Server,” on page 35
vCloud Director Installation and Upgrade Guide
38 VMware, Inc.
Procedure
1 Open a console, shell, or terminal window, and type the following command to run the database
upgrade script.
/opt/vmware/vcloud-director/bin/upgrade
IMPORTANT If the database upgrade script detects that an incompatible version of vShield manager is
registered to this installation of vCloud Director, it displays this warning message and cancels the
upgrade.
One or more vShield Manager servers registered to this vCloud
Director installation are not supported by the version of vCloud Director
you are upgrading to. Upgrade canceled, please follow the procedures in
the vShield Manager Upgrade Guide to upgrade those unsupported vShield
Manager servers.
2 Respond to the database upgrade prompts.
a Confirm that you want to continue with the database upgrade.
Welcome to the vCloud Director upgrade utility
This utility will apply several updates to the database. Please
ensure you have created a backup of your database prior to continuing.
Do you wish to upgrade the product now? [Y/N]:
Take one of the following actions:
Option Action
Continue the upgrade. Type y.
Exit to the shell without making
any changes in the current
vCloud Director database.
Type n.
b (Optional) Wait for cells to become inactive, if necessary.
If the database upgrade tool detects that any cells are still active, it prompts you to continue with
the upgrade or exit.
Found active cell. Name: "cell-01", IP Address: 10.150.151.190, Identifier: a2eb...
Do you wish to upgrade the database while cells are still active? [Y/N]
If you see this prompt, type n to exit to the shell, then wait five minutes and restart the database
upgrade tool. If the database upgrade tool continues to warn you about cells that are still active,
return to the procedure in “Use the Cell Management Tool to Quiesce and Shut Down a Server,” on
page 35 and ensure that all cells have become inactive.
After you have responded to all prompts, the database upgrade tool runs and displays progress
messages.
Executing upgrade task: Start UpdateStatementManager
...[3]
Successfully ran upgrade task
Executing upgrade task: ...
.......... Successfully ran upgrade task
...
Chapter 3 Upgrading vCloud Director
VMware, Inc. 39
Executing upgrade task: Stop UpdateStatementManager
...[3]
...
Successfully ran upgrade task
3 (Optional) Rebuild the database indexes and update the database statistics.
These procedures can lead to better database performance after the upgrade.
Do you wish to rebuild the database indexes? This may take several minutes. [Y/N] y
Rebuilding database indexes
...
Do you wish to update the database statistics? This may take several minutes. [Y/N] y
Updating database statistics
...
After the database is upgraded, the upgrade script offers to start vCloud Director services on this host.
Would you like to start the vCloud Director service now? If you choose not
to start it now, you can manually start it at any time using this command:
service vmware-vcd start
Start it now? [y/n]:y
Starting the vCloud Director service (this may take a moment).
Upgrade vShield Manager
Before you can upgrade vCenter servers and hosts registered to vCloud Director, you must upgrade vShield
Manager servers attached to the vCenter servers.
Before you upgrade a vCenter server attached to vCloud Director, upgrade the vShield Manager server
associated with the upgraded vCenter server. Upgrading vShield Manager interrupts access to vShield
Manager administrative functions, but does not interrupt network services.
Prerequisites
At least one upgraded cell in your vCloud Director installation must be running before you begin this
upgrade. The cell is responsible for writing data about the upgraded vShield Manager to the
vCloud Director database.
Procedure
1 Upgrade vShield Manager.
Follow the procedure in the vShield Installation and Upgrade Guide. After this upgrade completes, vShield
Manager notifies vCloud Director that it has a new version. It can take several minutes before vShield
Manager sends the notification and vCloud Director processes it.
2 After you have upgraded vShield manager, you must upgrade all vCenter servers and hosts before you
upgrade the vShield Edge appliances that the upgraded vShield Manager manages.
Upgrade vCenter, Hosts, and vShield Edge Appliances
After you have upgraded vCloud Director and vShield Manager, upgrade the vCenter servers and hosts
attached to your cloud, then upgrade vShield Edge appliances on upgraded vCenter servers.
Procedure
1 Upgrade the vCenter server.
See the vSphere Installation and Setup Guide.
vCloud Director Installation and Upgrade Guide
40 VMware, Inc.
2 (Optional) If you have configured vCloud Director to use vCenter Single Sign On, you must unregister
and re-register vCloud Director with the vCenter Lookup Service.
a Log in to vCloud Director as a system administrator using a local or LDAP account. Do not use
vCenter Single Sign On for this log in.
b Unregister vCloud Director with the vCenter Lookup Service.
On the Administration tab of the vCloud Director Web console, click Federation in the left pane,
and click Unregister. You must provide the appropriate vCenter administrator credentials to
complete this action.
c Register vCloud Director with the vCenter Lookup Service.
See "Configure vCloud Director to use vCenter Single Sign On" in thevCloud Director
Administrator's Guide
3 Refresh the vCenter server's registration with vCloud Director.
a In the vCloud Director Web console, click the Manage & Monitor tab and click vCenters in the left
pane.
b Right-click the vCenter Server name and select Refresh.
c Click Yes.
4 Upgrade each host that the upgraded vCenter server supports.
See the vSphere Installation and Setup Guide. For each host, the upgrade requires the following steps:
a In the vCloud Director Web console, disable the host.
On the Manage and Monitor page, click Hosts, then right-click the host and select Disable Host.
b Use vCenter to put the host into maintenance mode and allow all the virtual machines on that host
to migrate to another host.
c Upgrade the host.
To ensure that you have enough upgraded host capacity to support the virtual machines in your
cloud, upgrade hosts in small batches. When you do this, host agent upgrades can complete in time
to allow virtual machines to migrate back to the upgraded host.
d Use vCenter to reconnect the host.
e Upgrade the vCloud Director host agent on the host.
See "Upgrade an ESX/ESXi Host Agent" in the vCloud Director Administrator's Guide.
f In the vCloud Director Web console, enable the host.
On the Manage and Monitor page, click Hosts, then right-click the host and select Enable Host.
g Use vCenter to take the host out of maintenance mode.
5 Upgrade all vShield Edge appliances managed by the vShield Manager on the upgraded vCenter
server.
Use the vShield Manager user interface to manage this upgrade.
NOTE If you use the vCloud Director Web console or REST API to reset a network that vShield Edge
protects, this upgrade occurs automatically. Using the vShield Manager user interface to manage the
vShield Edge provides better administrative control over the upgrade process and related network
downtime.
What to do next
Repeat this procedure for the other vCenter servers registered to your cloud.
Chapter 3 Upgrading vCloud Director
VMware, Inc. 41
vCloud Director Installation and Upgrade Guide
42 VMware, Inc.
vCloud Director Setup 4
After you configure all servers in the vCloud Director server group and connect them to the database, you
can initialize the server group's database with a license key, system administrator account, and related
information. When this process is complete, you can use the vCloud Director Web Console to complete the
initial provisioning of your cloud.
Before you can run the vCloud Director Web Console, you must run the Setup wizard, which gathers the
information that the Web Console requires before it can start. After the wizard is finished, the Web Console
starts and displays the login screen. The vCloud Director Web Console provides a set of tools for
provisioning and managing a cloud. It includes a Quickstart feature that guides you through steps like
attaching vCloud Director to vCenter and creating an organization.
Prerequisites
nComplete the installation of all vCloud Director servers, and verify that vCloud Director services have
started on all servers.
nVerify that you have the URL that the configuration script displays when it completes.
NOTE To discover the URL of the Setup wizard after the script exits, look up the fully qualified domain
name associated with the IP address you specified for the HTTP service during installation of the first
server and use it to construct a URL of the form https://fully-qualified-domain-name, for example,
https://mycloud.example.com. You can connect to the wizard at that URL.
Complete the installation of all vCloud Director servers, and verify that vCloud Director services have
started on all servers.
Procedure
1 Open a Web browser and connect to the URL that the configuration script displays when it completes.
2 Follow the prompts to complete the setup.
This chapter includes the following topics:
n“Review the License Agreement,” on page 44
n“Enter the License Key,” on page 44
n“Create the System Administrator Account,” on page 44
n“Specify System Settings,” on page 44
n“Ready to Log In to vCloud Director,” on page 45
VMware, Inc. 43
Review the License Agreement
Before you can configure a vCloud Director server group, you must review and accept the end user license
agreement.
Procedure
1 Review the license agreement.
2 Accept or reject the agreement.
Option Action
To accept the license agreement. Click Yes, I accept the terms in the license agreement.
To reject the license agreement No, I do not accept the terms in the license agreement.
If you reject the license agreement, you cannot proceed with vCloud Director configuration.
Enter the License Key
Each vCloud Director cluster requires a license to run. The license is specified as a product serial number.
The product serial number is stored in the vCloud Director database.
The vCloud Director product serial number is not the same as the vCenter server license key. To operate a
vCloud, you must have a vCloud Director product serial number and a vCenter server license key. You can
obtain both types of license keys from the VMware License Portal.
Procedure
1 Obtain a vCloud Director product serial number from the VMware License Portal.
2 Type the product serial number in the Product serial number text box.
Create the System Administrator Account
Specify the user name, password, and contact information for the vCloud Director system administrator.
The vCloud Director system administrator has superuser privileges throughout the cloud. You create the
initial system administrator account during vCloud Director setup. After installation and configuration is
complete, this system administrator can create additional system administrator accounts as needed.
Procedure
1 Type the system administrator's user name.
2 Type the system administrator's password and confirm it.
3 Type the system administrator's full name.
4 Type the system administrator's email address.
Specify System Settings
You can specify the system settings that control how vCloud Director interacts with vSphere and vShield
Manager.
The configuration process creates a folder in vCenter for vCloud Director to use and specifies an installation
ID to use when you create MAC addresses for virtual NICs.
Procedure
1 Type a name for the vCloud Director vCenter folder in the System name field.
vCloud Director Installation and Upgrade Guide
44 VMware, Inc.
2 Use the Installation ID field to specify the installation ID for this installation of vCloud Director.
If a datacenter includes multiple installations of vCloud Director, each installation must specify a
unique installation ID.
Ready to Log In to vCloud Director
After you provide all of the information that the Setup Wizard requires, you can confirm your settings and
complete the wizard. After the wizard finishes, the login screen of the vCloud Director Web Console
appears.
The Ready to Log In page lists all the settings you have provided to the wizard. Review the settings
carefully.
Prerequisites
Verify that you have access to vCenter and vShield Manager. The vCloud Director Web Console requires
access to the installations of vCenter and vShield Manager that you want to configure as part of this
vCloud Director. These installations must be running and configured to work with each other before you
finish this task. For more information, see “vCloud Director Hardware and Software Requirements,” on
page 8.
Procedure
nTo change a setting, click Back until you get to the page where the setting originated.
nTo confirm all settings and complete the configuration process, click Finish.
When you click Finish, the wizard applies the settings you specified, then starts the vCloud Director Web
Console and displays its login screen.
What to do next
Log in to the vCloud Director Web Console using the user name and password you provided for the system
administrator account. After you have logged in, the console displays a set of Quickstart steps that you must
complete before you can use this cloud. When the steps are complete, the Guided Tasks are enabled, and
your cloud is ready for use.
Chapter 4 vCloud Director Setup
VMware, Inc. 45
vCloud Director Installation and Upgrade Guide
46 VMware, Inc.
Cell Management Tool Reference 5
The cell management tool is a command-line utility that you can use to manage a cell and its SSL certificates,
and to export tables from the vCloud Director database. Superuser or system administrator credentials are
required for some operations.
The cell management tool is installed in /opt/vmware/vcloud-director/bin/cell-management-tool.
Listing Available Commands
To list the available cell management tool commands, use the following command line.
cell-management-tool -h
Example: Cell Management Tool Usage Help
[root@cell1 /opt/vmware/vcloud-director/bin]# ./cell-management-tool -h
usage: cell-management-tool
-h,--help print this message
-p,--password <arg> administrator password
-u,--username <arg> administrator username
Available commands:
cell - Manipulates the Cell and core components
dbextract - Exports the data from the given set of tables
certificates - Reconfigures the SSL certificates for the cell
generate-certs - Generates self-signed SSL certificates for use with vCD cell
recover-password - Change a forgotten System Administrator password. Database credentials are
required
For command specific help:
cell-management-tool [...] <commandName> -h
nCommands for Managing a Cell on page 48
Use the cell command of the cell management tool to suspend the task scheduler so that new tasks
cannot be started, to check the status of active tasks, to control cell maintenance mode, and to shut
down the cell gracefully.
nCommands for Exporting Database Tables on page 49
Use the dbextract command of the cell management tool to export data from the vCloud Director
database.
VMware, Inc. 47
nCommands for Replacing SSL Certificates on page 51
Use the certificates command of the cell management tool to replace the cell's SSL certificates.
nCommands for Generating Self-Signed SSL Certificates on page 52
Use the generate-certs command of the cell management tool to generate new self-signed SSL
certificates for the cell.
nRecovering the System Administrator Password on page 53
If you know the vCloud Director database username and password, you can use the
recover-password command of the cell management tool to recover the vCloud Director system
administrator password.
Commands for Managing a Cell
Use the cell command of the cell management tool to suspend the task scheduler so that new tasks cannot
be started, to check the status of active tasks, to control cell maintenance mode, and to shut down the cell
gracefully.
To manage a cell, use a command line with the following form:
cell-management-tool -u sysadmin-username -p sysadmin-password cell command
sysadmin-username Username of a vCloud Director system administrator.
sysadmin-password Password of the vCloud Director system administrator.
NOTE You can supply the vCloud Director system administrator password
on the cell-management-tool command line, but it is more secure to omit the
password. This causes the cell-management-tool to prompt for the
password, which it does not display on the screen as you type.
command cell subcommand.
Table 51. Cell Management Tool Options and Arguments, cell Subcommand
Command Argument Description
--help (-h) None Provides a summary of available
commands in this category.
--maintenance (-m)true or false Controls cell maintenance mode.
The argument true puts the cell
into maintenance mode. (You must
quiesce the cell first.) The
argument false releases the cell
from maintenance mode.
--quiesce (-q)true or false Quiesces activity on the cell. The
argument true suspends the
scheduler. The argument false
restarts the scheduler.
--shutdown (-s)None Shuts down vCloud Director
services on the server.
--status (-t)None Displays information about the
number of jobs running on the cell
and the status of the cell.
vCloud Director Installation and Upgrade Guide
48 VMware, Inc.
Example: Getting Task Status
The following cell-management-tool command line supplies system administrator credentials and returns
the count of running jobs. When the Job count value is 0 and the Is Active value is false, you can safely
shut down the cell.
[root@cell1 /opt/vmware/vcloud-
director/bin]# ./cell-management-tool -u administrator cell --status
Job count = 3
Is Active = true
Commands for Exporting Database Tables
Use the dbextract command of the cell management tool to export data from the vCloud Director
database.
To export database tables, use a command line with the following form:
cell-management-tool dbextract options
Table 52. Cell Management Tool Options and Arguments, dbextract Subcommand
Option Argument Description
--help (-h) None Provides a summary of available
commands in this category.
-categories A comma-separated list of table categories
to export.
Optional. NETWORKING is the only
supported category
-dataFile An absolute path to a file describing the
data to export.
Optional. If not supplied, the
command uses
$VCLOUD_HOME/etc/data_to_exp
ort.properties. See “Specifying
Tables and Columns to Export,” on
page 50.
-dumpFile An absolute path to a dump file. The
containing directory must exist and be
writable by root.
All data will be exported to this
file.
-exportSettingsFile An absolute path to a data export settings
properties file.
Optional. If not supplied, the
command uses
$VCLOUD_HOME/etc/data_export
_settings.ini. See “Limiting
and Ordering Exported Rows,” on
page 51.
-properties An absolute path to a database connection
properties file.
Optional. If not supplied, the
command uses the database
connection properties in
$VCLOUD_HOME/etc/global.prop
erties. See “Specifying a
Properties File,” on page 50.
-tables A comma-separated list of tables. Optional. Export all tables to see
individual table names.
Chapter 5 Cell Management Tool Reference
VMware, Inc. 49
Specifying a Properties File
By default, the dbextract command extracts data from the vCloud Director database using the database
connection information in the current cell's $VCLOUD_HOME/etc/global.properties file. To extract data from a
different vCloud Director database, specify the database connection properties in a file and use the
-properties option to provide the pathname to that file on the command line. The properties file is a
UTF-8 file that has the following format.
username=username
password=password
servicename=db_service_name
port=db_connection_port
database-ip=db_server_ip_address
db-type=db_type
username The vCloud Director database user name.
password The vCloud Director database password.
db_service_name The database service name. For example, orcl.example.com .
db_connection_port The database port.
db_server_ip_address The IP address of the database server.
db_type The database type. Must be Oracle or MS_SQL .
Specifying Tables and Columns to Export
To restrict the set of data exported, use the -exportSettingsFile option and create a
data_to_export.properties file that specifies individual tables and, optionally, columns to export. This file
is a UTF-8 file that contains zero or more lines of the form TABLE_NAME:COLUMN_NAME.
TABLE_NAME The name of a table in the database. To see a list of table names, export all
tables.
COLUMN_NAME The name of a column in the specified TABLE_NAME.
This example data_to_export.properties file exports columns from the ACL and ADDRESS_TRANSLATION
tables.
ACL:ORG_MEMBER_ID
ACL:SHARABLE_ID
ACL:SHARABLE_TYPE
ACL:SHARING_ROLE_ID
ADDRESS_TRANSLATION:EXTERNAL_ADDRESS
ADDRESS_TRANSLATION:EXTERNAL_PORTS
ADDRESS_TRANSLATION:ID
ADDRESS_TRANSLATION:INTERNAL_PORTS
ADDRESS_TRANSLATION:NIC_ID
The command expects to find this file in $VCLOUD_HOME/etc/data_to_export.properties, but you can specify
another path.
vCloud Director Installation and Upgrade Guide
50 VMware, Inc.
Limiting and Ordering Exported Rows
For any table, you can specify how many rows to export and how to order the exported rows. Use the -
exportSettingsFile option and create a data_export_settings.ini file that specifies individual tables. This
file is a UTF-8 file that contains zero or more entries of the following form:
[TABLE_NAME]
rowlimit=int
orderby=COLUMN_NAME
TABLE_NAME The name of a table in the database. To see a list of table names, export all
tables.
COLUMN_NAME The name of a column in the specified TABLE_NAME.
This example data_export_settings.ini restricts data exported from the AUDIT_EVENT table to the first 10000
rows and orders the rows by the value in the event_time column
[AUDIT_EVENT]
rowlimit=100000
orderby=event_time
The command expects to find this file in $VCLOUD_HOME/etc/data_export_settings.ini, but you can specify
another path.
Example: Exporting All Tables From the Current vCloud Director Database.
This example exports all tables of the current vCloud Director database to the file /tmp/dbdump .
[root@cell1 /opt/vmware/vcloud-
director/bin]# ./cell-management-tool dbextract -dumpFile /tmp/dbdump
This utility outputs data from your vCloud Director system
that may contain sensitive data.
Do you want to continue and output the data (y/n)?
y
Exporting data now. Please wait for the process to finish
Exported 144 of 145 tables.
Commands for Replacing SSL Certificates
Use the certificates command of the cell management tool to replace the cell's SSL certificates.
The certificates command of the cell management tool automates the process of replacing a cell's
existing certificates with new ones stored in a JCEKS keystore. The certificates command helps you
replace self-signed certificates with signed ones. To create a JCEKS keystore containing signed certificates,
see “Create and Import a Signed SSL Certificate,” on page 17 .
To replace the cell's SSL certificates, use a command with the following form:
cell-management-tool certificates options
Table 53. Cell Management Tool Options and Arguments, certificates Subcommand
Option Argument Description
--help (-h) None Provides a summary of available
commands in this category.
--config (-c) full pathname to the cell's
global.properties file
Defaults to
$VCLOUD_HOME/etc/global.prop
erties.
Chapter 5 Cell Management Tool Reference
VMware, Inc. 51
Table 53. Cell Management Tool Options and Arguments, certificates Subcommand (Continued)
Option Argument Description
--responses (-r) full pathname to the cell's
responses.properties file
Defaults to
$VCLOUD_HOME/etc/responses.p
roperties.
--keystore (-s) keystore-pathname Full pathname to a JCEKS keystore
containing the signed certificates.
--keystore-pwd (-w) keystore-password Password for the JCEKS keystore
referenced by the --keystore
option.
Example: Replacing Certificates
You can omit the --config and --responses options unless those files were moved from their default
locations. In this example, a keystore at /tmp/new.ks has the password kspw. This example replaces the cell's
existing certificates with the certificates found in /tmp/new.ks
[root@cell1 /opt/vmware/vcloud–
director/bin]# ./cell-management-tool certificates -s /tmp/my-new-certs.ks -w kspw
Certificate replaced by user specified keystore at /tmp/new.ks.
You will need to restart the cell for changes to take effect.
NOTE You must restart the cell after you replace the certificates.
Commands for Generating Self-Signed SSL Certificates
Use the generate-certs command of the cell management tool to generate new self-signed SSL certificates
for the cell.
The generate-certs command of the cell management tool automates the procedure shown in “Create a
Self-Signed SSL Certificate,” on page 19.
To generate new self-signed SSL certificates and add them to a new or existing keystore, use a command
line with the following form:
cell-management-tool generate-certs options
Table 54. Cell Management Tool Options and Arguments, generate-certs Subcommand
Option Argument Description
--help (-h) None Provides a summary of available
commands in this category.
-issuer (-i) name=value [,
name=value, ...]
X.509 distinguished name of the
certificate issuer. Defaults to
CN=Unknown. If you specify
multiple attribute and value pairs,
separate them with commas and
enclose the entire argument in
quotation marks.
--out (-o) keystore-pathname Full pathname to the keystore on
this host.
--key-size (-s) key-size Size of key pair expressed as an
integer number of bits. Defaults to
1024.
vCloud Director Installation and Upgrade Guide
52 VMware, Inc.
Table 54. Cell Management Tool Options and Arguments, generate-certs Subcommand (Continued)
Option Argument Description
--keystore-pwd (-w) keystore-password Password for the keystore on this
host.
--expiration (-x) days-until-expiration Number of days until the
certificates expire. Defaults to 365
Example: Creating Self-Signed Certificates
Both of these examples assume a keystore at /tmp/cell.ks that has the password kspw. This keystore is
created if it does not already exist.
This example creates the new certificates using the defaults. The issuer name is set to CN=Unknown. The
certificate uses 1024-bit encryption and expires one year after creation.
[root@cell1 /opt/vmware/vcloud-
director/bin]# ./cell-management-tool generate-certs -o /tmp/cell.ks -w kspw
New keystore created and written to /tmp/cell.ks.
This example creates the new certificates using custom values for key size and issuer name. The issuer name
is set to CN=Test, L=London, C=GB. The certificate uses 2048-bit encryption and expires 90 days after creation.
[root@cell1 /opt/vmware/vcloud-
director/bin]# ./cell-management-tool generate-certs -o /tmp/cell.ks -w kspw
-i "CN=Test, L=London, C=GB" -s 2048 -x 90
New keystore created and written to /tmp/cell.ks.
Recovering the System Administrator Password
If you know the vCloud Director database username and password, you can use the recover-password
command of the cell management tool to recover the vCloud Director system administrator password.
With the recover-password command of the cell management tool, a user who knows the vCloud Director
database username and password can recover the vCloud Director system administrator password.
To recover the system administrator password, use a command line with the following form:
cell-management-tool recover-password options
Table 55. Cell Management Tool Options and Arguments, recover-password Subcommand
Option Argument Description
--help (-h) None Provides a summary of available
commands in this category.
--dbuser The user name of the
vCloud Director database
user.
Must be supplied on the command
line.
--dbpassword The password of the
vCloud Director database
user.
Prompted for if not supplied.
Chapter 5 Cell Management Tool Reference
VMware, Inc. 53
vCloud Director Installation and Upgrade Guide
54 VMware, Inc.
Index
A
AMQP broker, to install and configure 21
B
browsers, supported 10
C
cell management tool
cell command 48
certificates command 51
dbextract command 49
generate-certs command 52
options 47
certificate
self-signed 19
signed 17
configuration, confirm settings and complete 45
D
database
about 14
connection details 26
Oracle 14
SQL Server 15
supported platforms 8
to upgrade 38
F
firewall, ports and protocols 13
G
guest customization, preparing 31
H
host, to upgrade 40
I
installation
about 5
of first server 24
of more servers 29
to configure 43
uninstalling 32
Installation
and capacity planning 8
architecture diagram 7
overview of 7
to create 23
Installation ID, to specify 44
J
Java, required JRE version 10
K
keystore 17
L
license agreement 44
M
Microsoft Sysprep 31
N
network
configuration requirements 12
security of 13
P
product serial number
to enter 44
to obtain 44
R
RPM file, to verify digital signature 22
S
services, to start 32
System Administrator account
to create 44
to recover password 53
System Name, to specify 44
U
upgrade
database 38
of first server 36
upgrading, workflows for 33
V
vCenter
supported releases 8
to upgrade 40
vShield manager, to upgrade 40
VMware, Inc. 55
vShield Manager
installing and configuring 20
supported releases 8
vCloud Director Installation and Upgrade Guide
56 VMware, Inc.

Navigation menu