VirtualCenter unable to decrypt passwords
By mprove on Feb 02, 2009
[originally posted by Sarah Fortune 3-Feb-09]
There is a long standing problem in VirtualCenter 2.5 where cloning fails with this error:
The VirtualCenter server is unable to decrypt passwords stored in the customization specification.
It happens apparently randomly, but can be caused by installing
Internet Explorer 7 on the VirtualCenter host. There is an ongoing
thread in VMware communities about it: http://communities.vmware.com/thread/54721. There were rumours that the problem was going to be fixed in update 3, but it shows up in update 1, 2 and 3.
One of the solutions is to export the customisation spec, edit it so that the password is stored in plain text, and import it back into VirtualCenter.
If storing the password in plaintext isn't acceptable, replacing the SSL
certificate in VirtualCenter can also fix the problem, provided the new certificate uses the password that is hardcoded into
Fix the problem by using plain text passwords
- Export the customisation spec, and edit the saved XML file.
- Locate the password section:
<password> <_type>vim.vm.customization.Password</_type> <plainText>false</plainText> <value>MJwe3zWdcKeAfZIBKDwhY6D+mSPBHMadN3oDFZxf3gjaQRZ9s/0IM6gumgiDjAGxGSPMJEbq4uyIZjUI57e3CVhIK7EmpZNgQTjQrV2D6wcmQSyTY5MUbpZXRicBjKVQY0Ln2TVXFe4Rke3R4W98pYwNr+SLy2NPYua5Hbs7vSk=</value> </password>
Change the value <plainText>false</plainText> to <plainText>true</plainText>
And <value>MJwe3zWdcKeAfZIB ... etc... </value> to the actual password, e.g. <value>Password01</value>.
So the password section should look like this:
<password> <_type>vim.vm.customization.Password</_type> <plainText>true</plainText> <value>Password01</value> </password>
- Import the XML back into VirtualCenter as a new customisation spec.
Fix the problem by replacing the SSL ceritificate
- Follow these instructions to generate and install a new certificate. Be warned it a pretty long process and requires you to install software your VirtualCenter server. http://vmetc.com/2008/07/22/guides-for-replacing-the-virtualcenter-certificate/
- There is one step in the instructions needs to be modified, you
have to change the password to the one that VirtualCenter expects.This
openssl pkcs12 -export -in rui.crt -inkey rui.key -name rui -passout pass:vmware -out rui.pfx
Should be replaced with:
openssl pkcs12 -export -in rui.crt -inkey rui.key -name rui -passout pass:testpassword -out rui.pfx
- After you have replaced the certificate you will have to reconnect the ESX servers in VirtualCenter, and recreate the customisation specs. At this point it is safe to install Internet Explorer 7 on the server.