VirtualCenter unable to decrypt passwords

[originally posted by Sarah Fortune 3-Feb-09]

There is a long standing problem in VirtualCenter 2.5 where cloning fails with this error:

The VirtualCenter server is unable to decrypt passwords stored in the customization specification.

It happens apparently randomly, but can be caused by installing Internet Explorer 7 on the VirtualCenter host. There is an ongoing thread in VMware communities about it: http://communities.vmware.com/thread/54721. There were rumours that the problem was going to be fixed in update 3, but it shows up in update 1, 2 and 3.

One of the solutions is to export the customisation spec, edit it so that the password is stored in plain text, and import it back into VirtualCenter.

If storing the password in plaintext isn't acceptable, replacing the SSL certificate in VirtualCenter can also fix the problem, provided the new certificate uses the password that is hardcoded into VirtualCenter.


Fix the problem by using plain text passwords
  1. Export the customisation spec, and edit the saved XML file.
  2. Locate the password section:
           <password>
              <_type>vim.vm.customization.Password</_type>
              <plainText>false</plainText>          
              <value>MJwe3zWdcKeAfZIBKDwhY6D+mSPBHMadN3oDFZxf3gjaQRZ9s/0IM6gumgiDjAGxGSPMJEbq4uyIZjUI57e3CVhIK7EmpZNgQTjQrV2D6wcmQSyTY5MUbpZXRicBjKVQY0Ln2TVXFe4Rke3R4W98pYwNr+SLy2NPYua5Hbs7vSk=</value>
            </password>
  3. Change the value <plainText>false</plainText> to <plainText>true</plainText>
    And <value>MJwe3zWdcKeAfZIB ... etc... </value> to the actual password, e.g. <value>Password01</value>.
    So the password section should look like this:
           <password>
              <_type>vim.vm.customization.Password</_type>
              <plainText>true</plainText>          
              <value>Password01</value>
            </password> 
  4. Import the XML back into VirtualCenter as a new customisation spec.

Fix the problem by replacing the SSL ceritificate
  1. Follow these instructions to generate and install a new certificate. Be warned it a pretty long process and requires you to install software your VirtualCenter server. http://vmetc.com/2008/07/22/guides-for-replacing-the-virtualcenter-certificate/
  2. There is one step in the instructions needs to be modified, you have to change the password to the one that VirtualCenter expects.This command:
         openssl pkcs12 -export -in rui.crt -inkey rui.key -name rui -passout pass:vmware -out rui.pfx
    Should be replaced with:
        openssl pkcs12 -export -in rui.crt -inkey rui.key -name rui -passout pass:testpassword -out rui.pfx
  3. After you have replaced the certificate you will have to reconnect the ESX servers in VirtualCenter, and recreate the customisation specs. At this point it is safe to install Internet Explorer 7 on the server.
Comments:

Post a Comment:
Comments are closed for this entry.
About

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today