VMware vSphere

 View Only

  • 1.  Lost Master Password

    Posted Sep 22, 2019 06:26 PM

    Hi Everybody,

    I am in a very situation here. We have a very old VMWare On-Prem system having hosting VMware 5.1. Now the problem is that the person who initially set it up never documented the master password and now I am in a phase of migrating my VMWare to a new network with a different hostname. Now, when I migrated my cluster master to the new network and spin up the VM. The services won't start because it does not match the server name. What i would like to know is:

    1. Is there a way (official or non-official) to reset the master password?

    2. What is the difference between an admin password and master password?

    3. Can I update my certificates using admin password? I know this one. I am using the ssl-automation.bat tool

    4. Will re-installing vmware fix the problem? If Yes, will it affect the current infrastructure? Will my VM's get deleted?

    vspher log: ( xxxxxxxxx is my new hostname )

    2019-09-21T12:13:54.749-07:00 [05764 info 'dbdbPortgroup'] [VpxdInvtDVPortGroup::PreLoadDvpgConfig] loaded [0] dvpg config objects

    2019-09-21T12:13:54.765-07:00 [05764 info '[SSO][SsoFactory_CreateFacade]'] Solution user set to: vCenterServer_2012.10.01_170440

    2019-09-21T12:13:54.765-07:00 [05764 info '[SSO][SsoFactory_CreateFacade]'] VC's ServiceId in LookupService: {EF737C67-B22A-492D-9F46-F747BC43733C}:7

    2019-09-21T12:13:54.765-07:00 [05764 info '[SSO][SsoFactory_CreateFacade]'] STS URI set to: https://xxxxxxxxx:7444/ims/STSService?wsdl

    2019-09-21T12:13:54.765-07:00 [05764 info '[SSO][SsoFactory_CreateFacade]'] Admin URI set to: https://xxxxxxxxxxx:7444/sso-adminserver/sdk

    2019-09-21T12:13:54.765-07:00 [05764 info '[SSO][SsoFactory_CreateFacade]'] Groupcheck URI set to: https://xxxxxxxxxxx:7444/sso-adminserver/sdk

    2019-09-21T12:13:54.765-07:00 [05764 info '[SSO][SsoFactory_CreateFacade]'] VC SSL certificate location: C:\ProgramData\VMware\VMware VirtualCenter\ssl\rui.crt

    2019-09-21T12:13:54.765-07:00 [05764 info '[SSO][CreateSsoFacade]'] [CreateUserDirectory] STS URI set to: https://xxxxxxxxxxxxxxxx:7444/ims/STSService?wsdl

    2019-09-21T12:13:54.765-07:00 [05764 info '[SSO][CreateSsoFacade]'] [CreateUserDirectory] Admin URI set to: https://xxxxxxxxxxxxxx:7444/sso-adminserver/sdk

    2019-09-21T12:13:54.765-07:00 [05764 info '[SSO][CreateSsoFacade]'] [CreateUserDirectory] Groupcheck URI set to: https://xxxxxxxxxxxxxxxx:7444/sso-adminserver/sdk

    2019-09-21T12:13:55.015-07:00 [01620 info 'Default'] Thread attached

    2019-09-21T12:13:55.016-07:00 [04832 info 'Default'] Thread attached

    2019-09-21T12:13:55.016-07:00 [04716 error 'Default'] SSLStreamImpl::DoClientHandshake (000000000ad07790) SSL_connect failed. Dumping SSL error queue:

    2019-09-21T12:13:55.016-07:00 [04716 error 'Default'] [0] error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

    2019-09-21T12:13:55.016-07:00 [04716 error 'HttpConnectionPool-000001'] [ConnectComplete] Connect failed to <cs p:000000000abbf1c0, TCP:xxxxxxxxxxxxxxxxx:7444>; cnx: (null), error: class Vmacore::Ssl::SSLVerifyException(SSL Exception: Verification parameters:

    --> PeerThumbprint: 92:82:CD:8E:45:4E:42:89:95:FB:1F:1F:14:B0:55:D7:64:AA:B6:F2

    --> ExpectedThumbprint:

    --> ExpectedPeerName: xxxxxxxxxxxxxxxxxxxxx

    --> The remote host certificate has these problems:

    -->

    --> * A certificate in the host's chain is based on an untrusted root.

    -->

    --> * Host name does not match the subject name(s) in certificate.)

    2019-09-21T12:13:55.016-07:00 [05764 error '[SSO][SsoFactory_CreateFacade]'] Unable to create SSO facade: SSL Exception: Verification parameters:

    --> PeerThumbprint: 92:82:CD:8E:45:4E:42:89:95:FB:1F:1F:14:B0:55:D7:64:AA:B6:F2

    --> ExpectedThumbprint:

    --> ExpectedPeerName: xxxxxxxxxxxxxxxxxxxxxxx

    --> The remote host certificate has these problems:

    -->

    --> * A certificate in the host's chain is based on an untrusted root.

    -->

    --> * Host name does not match the subject name(s) in certificate..

    2019-09-21T12:13:55.016-07:00 [05764 error 'vpxdvpxdMain'] [Vpxd::ServerApp::Init] Init failed: Vpx::Common::Sso::SsoFactory_CreateFacade(sslContext, ssoFacadeConstPtr)

    Regards,

    Niraj



  • 2.  RE: Lost Master Password

    Posted Sep 22, 2019 06:29 PM

    If master means vcenter, you can't change the hostname in that version, they only recently made that a possibility. In regards to VMware there is nothing that's a "Master" password, if I'd have to guess your talking about the SSO administrators password



  • 3.  RE: Lost Master Password

    Posted Sep 23, 2019 02:47 AM

    Thanks for the reply.

    Maybe I confused you all. But when I run the SSL automation bat file. It prompts me with an option "enter master password". I enter my admin@System-Domain password and it just fails stating the master password is incorrect. I know that this password works because I can login to vsphere client with this.

    I am just trying to update the certs on it.



  • 4.  RE: Lost Master Password

    Posted Sep 22, 2019 07:48 PM

    Master?

    IIRC in vSphere 5.1 there was a admin@system-domain which is today the administrator@vsphere.local. As long as you have root access to the OS which runs vCenter/SSO you can reset the password for that user.

    Changing the FQHN of a vCenter is only in 6.7u3 and later.

    Regards,

    Joerg



  • 5.  RE: Lost Master Password

    Posted Sep 23, 2019 02:48 AM

    So if I end up re-installing. Will I lose everything?



  • 6.  RE: Lost Master Password

    Posted Sep 23, 2019 06:13 PM

    Did you ever change the password? If yes, and you still remember the original password used during the installation, see whether this works.

    André



  • 7.  RE: Lost Master Password

    Broadcom Employee
    Posted Sep 23, 2019 07:13 PM

    how many hosts/vs are involved here? If you setting up a new environment you cannot change the hostname, IMO you would be better off backing up DVS's etc and migratinghosts over  to new environment/5.5. The 5.1 version of SSO was a mare, from memory you may be able to even upgrade to 5.5, I dont think it asks for the master password during this procedure.. even going to 5.5 though you at the end of General Support. VCSA is your friend here



  • 8.  RE: Lost Master Password

    Posted Sep 24, 2019 10:20 AM

    Do your hosts use standard switches? If so, then just deploy a new VCSA 6.0; zero point messing around with an old VC if there is nothing tied into it other than a run-of-the-mill cluster. Even more so at 5.1 with a windows VC. Those things were absolutely god awful in the extreme.

    You just need to be sure that there's nothing else plumbed into it that you'd need to account for (SRM, vsphere replication, etc etc).

    1. Deploy vcsa 6.0 to one of the ESXi hosts.

    2. Create a Datacentre & cluster on the new VC. Copy the existing cluster settings from the old VC to new.

    3. Right-click the new cluster and select add host; add the old hosts to the new VC.

    The hosts will show as disconnected on the old VC, but your VM's will continue to run without issue.

    4. Rinse / repeat for all hosts.

    5. Delete the nasty Windows VC.

    Your vmware hosts can be left at 5.1, but I'd factor in upgrading those to 6 if the hardware is supported (and then 6.7 if it is also supported). Couple of hours work if you existing setup is basic. If you do have other apps running that have plugins installed, it's a bit more complicated as you'll need to work out a migration path for them to make sure they continue to run at the correct version for the new VCSA. Still something that should be achievable.