Real World Experience with vCenter 6.0 U2 Upgrade and External SSO

As we continue to explore the latest advancements in virtualization technology, many of us are faced with the task of upgrading our existing vCenter servers to the latest version. In this blog post, I will share my real-world experience with upgrading from vCenter 5.1 to vCenter 6.0 U2, and how we overcame some challenges during the process.

Background and Challenges

We have a multi-site SSO environment with two vCenter servers in linked mode, and we wanted to upgrade both servers to the latest version of vCenter (6.0 U2). We also have an external SSO instance running on vCenter 5.5, which we planned to repoint to the new vCenter 6.0 U2 instances.

During the upgrade process, we encountered two main issues:

1. Linked mode and re-registration

When upgrading from vCenter 5.1 to vCenter 6.0 U2, it is essential to remove linked mode before re-registering the external SSO instance. This is because the new version of vCenter does not support linked mode, and attempting to use it can lead to issues during the re-registration process. We learned this the hard way, as we had to perform a rollback to the previous snapshot due to some issues that arose during the re-registration process. This is mentioned in KB2033620, but it’s easy to miss if you’re not paying close attention.

2. Certificate warning messages

After upgrading to vCenter 6.0 U2, we encountered certificate warning messages even though we installed custom CA signed certificates on the external SSO 5.5 instances. This was resolved by pointing the Certificate Manager again to the same CA signed certificates for SSO. However, if you stand up your new SSO environment using 5.1 first, then upgrade it to 5.5, and then repoint, it should work. This is because 5.1 will use certificates with subjects that will work with the repointing script, whereas 5.5 apparently does not.

Another important point to note is that if you have a multi-site or HA SSO environment, then SSO 5.1 must be installed on all nodes prior to upgrading them to 5.5, otherwise the fresh 5.5 install on the additional nodes will still use the bad certs.

Real World Solution

To overcome these challenges, we followed these steps:

1. Removed linked mode before re-registering the external SSO instance.

2. Installed custom CA signed certificates on the external SSO 5.5 instances.

3. Pointed the Certificate Manager again to the same CA signed certificates for SSO.

4. Ensured that SSO 5.1 was installed on all nodes prior to upgrading them to 5.5.

Conclusion

Upgrading from vCenter 5.1 to vCenter 6.0 U2 can be a challenging task, especially when dealing with external SSO instances. However, by understanding the limitations and pitfalls of the upgrade process, you can avoid common mistakes and ensure a successful outcome. We hope that our real-world experience will help others who are planning to undertake a similar upgrade.

Please feel free to share your own experiences or ask questions related to this post’s contents. All comments will be moderated to ensure that only relevant and useful information is shared. Thank you for reading!