Assuming you already have a supported MSSQL DB running and are installing SSO on another Windows VM or server (separating SSO from vCenter is a best-practice), here’s what I recommend you do to turn up SSO with a remote MSSQL DB (not a local MSSQLEXPRESS).

 

Note:Your SSO Windows server doesn’t have to belong to an AD domain at this point since you can associate SSO with AD et al. later via the vCenter Web Client, but if it is joined before running the SSO install, it will save you this step.

 

While there may be other supported methods to install SSO, here are the basic steps that worked for me:

 

  • Locate the rsaIMSLiteMSSQLSetupTables.sql on the vCenter 5.1 installation ISO ([CD Drive]:\Single Sign On\DBScripts\SSOServer\schema\mssql\) and double-click on it within the server running MSSQL, which will open up in SQL Management Studio for editing.
  • Edit three[C:\CHANGEME\…] paths in the SQL script with the appropriate folder paths to your DBs & Trans Logs.  In my case, I put the DB and Index on D:\MSSQL\DB and the Logs on E:\MSSQL\LOGS
  • Execute the script and if all is well, it will create an RSA database in MSSQL and complete successfully
  • [IMPORTANT] Right-click on the top-level SQL Server icon and Select Properties, highlight Security and select the SQL Server and Windows Authentication mode (this is now a VMware requirement as indicated on page 241 of the vSphere 5.1 Installation and Setup Guide) and click OK.
  • Restart MSSQL Service & Agent for this setting to take effect.
  • Create a new SQL user account (i.e. sso) under MSSQL Server -> Security -> Logins in the SQL Management Studio hierarchy (ensure the account won’t require you to change the password upon first login) and give it SYSADMIN Server Role and dbo to the RSA DB under User Mapping, click OK.
    • Note:You can avoid running the other SQL “users” script mentioned in thevSphere 5.1 Installation and Setup Guide for SSO user creation if you do this step and let the SSO installer create the users needed instead.
  • Log into your soon to be SSO Windows server as an Administrator
    • Note:Ensure your Windows server is properly Hostname’d, IP’d, with forward and reverse DNS and clocks sync’d.  See documentation for other general prerequisites, if needed.  You can join it to an AD domain if you wish at this time.
  • Launch the vCenter 5.1 SSO installer from the vCenter 5.1 ISO.
  • Create a primary node for SSO (assuming this is your first one), click Next.
  • Select Create the primary node for a new vCenter Single Sign On installation (so you can scale later on), click Next.
  • Enter in whatever master password you wish to use for SSO, click Next.
  • Select Use an existing supported database, click Next
    • Note:Since SSO uses JDBC, there is no need to create a ODBC System DSN for SSO.
  • Enter, RSAin the Database Name field, enter the FQDN of your MSSQL server in the Host name or IP address field and, lastly, enter sso (from my example earlier) in the Database user name field as well as the password you established, click Next.
    • Note: nothing else on this page needs to be modified
  • Enter in to FQDN of the SSO server (not the IP!), click Next.
  • Keep checkbox Use network service account, Click Next
    • Note:Since I didn’t really have any specific guidance about using a service account with SSO, I just went with the default for now.  Perhaps in the future I’ll use a service account, but given SSO is somewhat AD independent I thought I’d go with a safe choice and not use an AD service account that could be revoked if SSO was detached from that AD in the future.
  • Select your favorite installation folder, Click Next.
  • Keep default port, Click Next.
  • Click Install!

 

SSO should install properly and create the appropriate SQL user accounts called RSA_USER & RSA_DBA.

 

  • Disable or delete the sso SQL Admin account you created as it’s no longer needed once SSO is installed.

 

Next, Install the vCenter Inventory Service wherever you like as well as the vCenter Server and Web Client (i.e. separate VMs)

 

Tip:You can no longer just log into vCenter 5.1 using a local (Windows) administrator account via the vSphere 5.1 Client.  To establish vCenter Administrator rights to a Windows/AD user account (assuming SSO has been associated with AD), first log into vCenter (via vSphere 5.1 Client) using admin as the Username and the SSO master password you created during the installation of SSO.  That will get you in and you can make permission adjustments as necessary.

Advertisements