Connecting System Center 2012 SP1 App Controller to System Center 2012 SP1 Service Provider Foundation – 2 Scenarios

Recently I posted a blog series on enabling the Cloud OS with Windows Server and System Center for Hosting Service Providers that consists of the following parts

I updated my lab environment to enable high availability on all levels and also documented my findings in my recent blogs.

With my new lab environment in place I was finally able to complete the previous series with the last blog on how to install and connect System Center 2012 SP1 App Controller to System Center 2012 SP1 Service Provider Foundation. I will describe the steps for two scenarios.

The first scenario describes an environment with System Center 2012 SP1 Service Provider Foundation. All configuration at the Service Provider site will be done in SPF PowerShell.

<img src=”/images/2013-06-08/01-Connect-App-Controller.png” width=720”>

The second scenario describes an environment with System Center 2012 SP1 Service Provider Foundation and Windows Azure for Windows Server, where stamps and tenants are created through the Service Management Portal.

Most configuration will be done in PowerShell. You can find all the Service Provider PowerShell cmdlets on Technet.

Installing System Center 2012 SP1 App Controller

This blog describes the configuration from the perspective of a tenant and from the perspective of the Service Provider. The previous blogs describes the steps to create the environment at the site of the Service Provider. System Center 2012 SP1 App Controller allows you to connect and manage your private cloud, hosted clouds and the public cloud Windows Azure through a single pane of glass. The minimum requirements for installing System Center 2012 SP1 App Controller on the tenant site is a domain controller, a SQL Server and System Center 2012 SP1 App Controller server. It is not required to install System Center VMM 2012 SP1 on premise to use System Center 2012 SP1 App Controller to connect to a hosted cloud or the public cloud. But if you licensed System Center 2012 SP1 App Controller you have licensed the System Center Suite and I strongly encourage you to implement System Center VMM 2012 SP1 as the fabric controller for your private cloud.

For this blog we will go with three virtual machines for the tenant site. A domain controller (dc1), a SQL Server (sql1) and a System Center 2012 SP1 App Controller server (ac). The domain FQDN is tenant.com. After the domain is configured, create two service account (domainSVCSQL and domainSVCAC). Install SQL server 2012 and specify the service account (domainSVCSQL) for its services.

When the SQL Server is installed logon to the System Center 2012 SP1 App Controller server as a domain administrator. Install the System Center VMM 2012 SP1 management console. The other prerequisites for System Center 2012 SP1 App Controller are configured by the installer.

<img src=”/images/2013-06-08/02-App-Controller-setup-prerequisites.png” width=720”>

Complete the installation wizard by specifying the domain service account (domainSVCAC) in the Configure the services tab and select to use a self-signed certificate or a web server certificate that was created by your internal Certificate Authority or a public Certificate Authority. For the functionality described in this blog the chosen certificate to access the System Center 2012 SP1 App Controller portal is not relevant. A complete installation guide for installing System Center 2012 SP1 App Controller is available on Technet.

Prerequisites

Certificates

Connecting System Center 2012 SP1 App Controller to System Center 2012 SP1 Service Provider Foundation requires a certificate. The tenant requires a web server certificate that is exported with a private key and without a private key. The certificate can be a self-signed web server certificate, a web server certificate issued by a private Certificate Authority or a web server certificate issued by a public Certificate Authority. I will use makecert.exe from the Windows SDK.

Logon to the System Center 2012 SP1 App Controller server at the tenant site (in this example ac.tenant.com) as a domain administrator. Open a command prompt and run the following command to create the certificate.

makecert -r -pe -n "cn=Tenant" -b 04/04/2013 -e 09/23/2016 -ss My -sr CurrentUser -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12 -sky exchange

<img src=”/images/2013-06-08/03-Makecert.png” width=720”>

Please take note that the common name (cn) should match the name we will use to create the Tenant Admin in System Center 2012 SP1 Service Provider Foundation.

The command generates a self-signed certificate in the certificates user store. To export the certificate open a Microsoft Management Console (mmc.exe) add the certificates snap-in and connect to the user account. Expand Certificates > Personal > Certificates, right-click the certificate we just created, open the All Tasks menu and choose export.

<img src=”/images/2013-06-08/04-Export-certificate.png” width=720”>

In the Export Private Key screen select No, do not export the private key. In the Export File Format screen choose to export the certificate to a Base-64 encoded X.509 (.CER) file. Specify the location to export the certificate and complete the wizard. The tenant provides this exported certificate without private key (.CER file) to the Service Provider.

<img src=”/images/2013-06-08/05-Exported-certificates.png” width=720”>

Start the Certificate Export Wizard again. In the Export Private Key screen select Yes, export the private key. This forces the wizard to export the certificate as Personal Information Exchange – PKCS # 12 (.PFX) file. Leave the default checkmark on the Export File Format screen and click next. Enable the Password checkmark on the Security screen and specify a password for the .PFX file. Specify the location to export the certificate and complete the wizard. This exported certificate (.PFX file) with the private key will remain at the tenant site. The .PFX file will be used to configure System Center 2012 SP1 App Controller.

Scenario 1 – Prepare System Center 2012 SP1 Service Provider Foundation without Windows Azure for Widows Server in place

This first scenario of this blog resumes its configuration at the end of Installing and configuring System Center 2012 SP1 Service Provider Foundation. This means that there are no stamps and no tenants created in System Center VMM 2012 SP1. To prepare System Center 2012 SP1 Service Provider Foundation for connecting System Center 2012 SP1 App Controller from the tenant requires the following steps in this scenario.

Logon to the System Center 2012 SP1 Service Provider Foundation server and open the System Center 2012 Service Provider Foundation Command Shell

<img src=”/images/2013-06-08/06-Command-Shell-shortcut.png” width=150”>

# Import the certificate (.CER file) provider by the Tenant
$path = "C:\TenantCerts\Export without private key for Service Provider.cer"
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($path)
$key = [Convert]::ToBase64String($cert.RawData)

# Create the new Tenant using the imported .CER file (match the name to the common name used to create the certificate)
$tenant = New-SCSPFTenant -Name "Tenant" -IssuerName "Tenant" –Key $key

# Import the System Center Virtual Machine Manager Cmdlets

Set-Executionpolicy remotesigned
Import-Module virtualmachinemanager

# Create a Tenant Admin role for in VMM the Tenant and Self-service Role in VMM for the a development group
$TARole = New-SCUserRole -Name Tenant -ID $tenant.Id -UserRoleProfile TenantAdmin -VMMServer VMM
$TenantSSU = New-SCSPFTenantUserRole -Name Development -Tenant $tenant 
$vmmSSU = New-SCUserRole -Name Development -UserRoleProfile SelfServiceUser -ParentUserRole $TARole -ID $TenantSSU.ID

# In a greenfield scenario there is no stamp defined. We need to map the tenant to a stamp. If you created a stamp already you can skip this step. To create a stamp
New-SCSPFStamp -Name "hypervnu"

# To map the tenant to a stamp we need to get the ID of the stamp. Run Get-SCSPFStamp and copy the ID of the stamp you want to use.
$stamp = Get-SCSPFStamp -ID c2627739-1fc7-4a00-b895-b3fdbbd56799
$tnnt = Get-SCSPFTenant -Name "Tenant"
Set-SCSPFStamp -Stamp $stamp -Tenants $tnnt
New-SCSPFServer -Name "vmm" -ServerType 0 -Stamps $stamp

# The tenant needs to specify a URL in System Center 2012 SP1 App Controller to connect to System Center 2012 SP1 Service Provider Foundation. The URL requires the Tenant ID. To get the Tenant ID
Get-SCSPFTenant | ft id, name

Scenario 2 – Prepare System Center 2012 SP1 Service Provider Foundation with Windows Azure for Windows Server in place

This scenario resumes its configuration at the end of the previous part on Installing and configuring Windows Azure for Windows Server – Part 3. In this scenario stamps and tenants are already created by Windows Azure for Windows Server. This requires some changes to the PowerShell commands.

The Tenant Site in Windows Azure for Windows Server allows the tenant to upload a management certificate.

<img src=”/images/2013-06-08/07-Upload-certificate-in-Windows-Azure-for-Windows-Server.png” width=720”>

I uploaded the exported certificate (.CER file) and verified the settings in the System Center 2012 Service Provider Foundation Command Shell. Unfortunately, after the certificate is uploaded by the tenant, the certificate thumbprint is unknown in System Center 2012 SP1 Service Provider Foundation. Hopefully this will be resolved in future developments (maybe in the Windows Azure Pack).

For this scenario I created a user named marcvaneijk@tenant.com in Windows Azure for Windows Server. Open the VMs and Services tab in System Center VMM 2012 SP1 and verify that the tenant is created. Windows Azure for Windows Server constructs the name from the tenant name and the tenant ID.

<img src=”/images/2013-06-08/08-VMs-and-Services.png” width=500”>

The following procedure will prepare the environment for connecting System Center 2012 SP1 App Controller from the tenant. The trickiest part was to map the certificate to the tenant.

# Get the name and the ID of the tenant
Get-SCSPFTenant | ft name, id

<img src=”/images/2013-06-08/09-Get-SCSPFTenant.png” width=720”>

# Import the certificate (.CER file) provider by the Tenant
$path = "C:TenantCertsExport without private key for Service Provider.cer"
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($path)
$key = [Convert]::ToBase64String($cert.RawData)

# Create a variable containing the Tenant
$tnnt = Get-SCSFPTenant -id f104f8f5-205b-4a27-a1a4-487d900c4cbf

# Create a Trusted Issuer by mapping the tenant to the imported certificate
New-SCSPFTrustedIssuer -Key $key -Name "Tenant" -Tenant $tnnt

# Import the System Center Virtual Machine Manager Cmdlets
Set-Executionpolicy remotesigned
Import-Module virtualmachinemanager

# Create a Tenant Admin role for the Tenant and Self-service Role for a development department that is mapped to the Tenant Admin role
$tenant = Get-SCSPFTenant -id f104f8f5-205b-4a27-a1a4-487d900c4cbf
$TARole = Get-SCUserRole -Name marcvaneijk@tenant.com_f104f8f5-205b-4a27-a1a4-487d900c4cbf -VMMServer VMM
$TenantSSU = New-SCSPFTenantUserRole -Name Tenant -Tenant $tenant 
$vmmSSU = New-SCUserRole -Name Development -UserRoleProfile SelfServiceUser -ParentUserRole $TARole -ID $TenantSSU.ID

# The tenant needs to specify a URL in System Center 2012 SP1 App Controller to connect to System Center 2012 SP1 Service Provider Foundation. The URL requires the Tenant ID. To get the Tenant ID
Get-SCSPFTenant | ft name, id

Configuring System Center 2012 SP1 App Controller

After the Service Provider has prepared the hosting environment the tenant can configure System Center 2012 SP1 App Controller to connect to the hosted cloud.

Logon to System Center 2012 SP1 App Controller as a tenant domain administrator and open the overview tab. Select Add an external service provider in the Hosted Clouds section.

<img src=”/images/2013-06-08/10-App-Controller-Overview.png” width=720”>

In the Add an external service provider foundation screen specify a name for the Service Provider in the connection name field. Optionally provide a description for the connection.

The service location field requires a URL in the following format.

https://<SPF full internet name>:8090/SC2012/vmm/Microsoft.Management.Odata.svc/<SPF Tenant ID provided by the service provider>

In this example we would enter the following URL in the service location field

https://spf.hyper-v.nu:8090/SC2012/vmm/Microsoft.Management.Odata.svc/f104f8f5-205b-4a27-a1a4-487d900c4cbf

In the certificate file field browse to the exported .PFX file that we created in the prerequisites section of this blog. In the password field enter the password that was used to encrypt the .PFX file.

<img src=”/images/2013-06-08/11-Add-an-external-service-provider-connection.png” width=400”>

After clicking OK the wizard will verify all prerequisites, connects to the service location, verifies the certificates, imports all objects (that tenant has access to) and creates the Self-service user role in System Center 2012 SP1 App Controller that we created in System Center 2012 SP1 Service Provider Foundation earlier.

You can now create a new User role in System Center 2012 SP1 App Controller and match it to the new Self-service role. Open the Settings > User Roles tab in System Center 2012 SP1 App Controller and select New.

In the general tab specify a descriptive name for the new user roles (in this example Development department). In the members tab add the domain groups or domain users that are member of the user role and should have access to the System Center VMM 2012 SP1 objects enabled by the service provider for this Self-service role. Finally enable the Service Provider Connection by selecting the Service provider and the Self-service role in the Scope tab and apply the settings.

Logon to System Center 2012 SP1 App Controller with a domain user account that is member of the Development department. The user only has access to the abstracted System Center VMM 2012 SP1 objects configured by the Service Provider.

More Information