Connecting System Center 2012 SP1 App Controller to System Center 2012 SP1 Service Provider Foundation – 2 Scenarios

Recently I posted a blog series on enabling the Cloud OS with Windows Server and System Center for Hosting Service Providers that consists of the following parts

I updated my lab environment to enable high availability on all levels and also documented my findings in my recent blogs.

With my new lab environment in place I was finally able to complete the previous series with the last blog on how to install and connect System Center 2012 SP1 App Controller to System Center 2012 SP1 Service Provider Foundation. I will describe the steps for two scenarios.

The first scenario describes an environment with System Center 2012 SP1 Service Provider Foundation. All configuration at the Service Provider site will be done in SPF PowerShell.

01 Connect App Controller

The second scenario describes an environment with System Center 2012 SP1 Service Provider Foundation and Windows Azure for Windows Server, where stamps and tenants are created through the Service Management Portal.

Most configuration will be done in PowerShell. You can find all the Service Provider PowerShell cmdlets on Technet.

Installing System Center 2012 SP1 App Controller

This blog describes the configuration from the perspective of a tenant and from the perspective of the Service Provider. The previous blogs describes the steps to create the environment at the site of the Service Provider. System Center 2012 SP1 App Controller allows you to connect and manage your private cloud, hosted clouds and the public cloud Windows Azure through a single pane of glass. The minimum requirements for installing System Center 2012 SP1 App Controller on the tenant site is a domain controller, a SQL Server and System Center 2012 SP1 App Controller server. It is not required to install System Center VMM 2012 SP1 on premise to use System Center 2012 SP1 App Controller to connect to a hosted cloud or the public cloud. But if you licensed System Center 2012 SP1 App Controller you have licensed the System Center Suite and I strongly encourage you to implement System Center VMM 2012 SP1 as the fabric controller for your private cloud.

For this blog we will go with three virtual machines for the tenant site. A domain controller (dc1), a SQL Server (sql1) and a System Center 2012 SP1 App Controller server (ac). The domain FQDN is tenant.com. After the domain is configured, create two service account (domainSVCSQL and domainSVCAC). Install SQL server 2012 and specify the service account (domainSVCSQL) for its services.

When the SQL Server is installed logon to the System Center 2012 SP1 App Controller server as a domain administrator. Install the System Center VMM 2012 SP1 management console. The other prerequisites for System Center 2012 SP1 App Controller are configured by the installer.

02 App Controller setup prerequisites

Complete the installation wizard by specifying the domain service account (domainSVCAC) in the Configure the services tab and select to use a self-signed certificate or a web server certificate that was created by your internal Certificate Authority or a public Certificate Authority. For the functionality described in this blog the chosen certificate to access the System Center 2012 SP1 App Controller portal is not relevant. A complete installation guide for installing System Center 2012 SP1 App Controller is available on Technet

Prerequisites

Certificates

Connecting System Center 2012 SP1 App Controller to System Center 2012 SP1 Service Provider Foundation requires a certificate. The tenant requires a web server certificate that is exported with a private key and without a private key. The certificate can be a self-signed web server certificate, a web server certificate issued by a private Certificate Authority or a web server certificate issued by a public Certificate Authority. I will use makecert.exe from the Windows SDK.

Logon to the System Center 2012 SP1 App Controller server at the tenant site (in this example ac.tenant.com) as a domain administrator. Open a command prompt and run the following command to create the certificate.

makecert -r -pe -n “cn=Tenant” -b 04/04/2013 -e 09/23/2016 -ss My -sr CurrentUser -sp “Microsoft RSA SChannel Cryptographic Provider” -sy 12 -sky exchange

03 Makecert

Please take note that the common name (cn) should match the name we will use to create the Tenant Admin in System Center 2012 SP1 Service Provider Foundation.

The command generates a self-signed certificate in the certificates user store. To export the certificate open a Microsoft Management Console (mmc.exe) add the certificates snap-in and connect to the user account. Expand Certificates > Personal > Certificates, right-click the certificate we just created, open the All Tasks menu and choose export.

04 Export certificate

In the Export Private Key screen select No, do not export the private key. In the Export File Format screen choose to export the certificate to a Base-64 encoded X.509 (.CER) file. Specify the location to export the certificate and complete the wizard. The tenant provides this exported certificate without private key (.CER file) to the Service Provider.

05 Exported certificates

Start the Certificate Export Wizard again. In the Export Private Key screen select Yes, export the private key. This forces the wizard to export the certificate as Personal Information Exchange – PKCS # 12 (.PFX) file. Leave the default checkmark on the Export File Format screen and click next. Enable the Password checkmark on the Security screen and specify a password for the .PFX file. Specify the location to export the certificate and complete the wizard. This exported certificate (.PFX file) with the private key will remain at the tenant site. The .PFX file will be used to configure System Center 2012 SP1 App Controller.

Scenario 1 – Prepare System Center 2012 SP1 Service Provider Foundation without Windows Azure for Widows Server in place

This first scenario of this blog resumes its configuration at the end of Installing and configuring System Center 2012 SP1 Service Provider Foundation. This means that there are no stamps and no tenants created in System Center VMM 2012 SP1. To prepare System Center 2012 SP1 Service Provider Foundation for connecting System Center 2012 SP1 App Controller from the tenant requires the following steps in this scenario.

Logon to the System Center 2012 SP1 Service Provider Foundation server and open the System Center 2012 Service Provider Foundation Command Shell

06 Command Shell shortcut

# Import the certificate (.CER file) provider by the Tenant

$path = “C:TenantCertsExport without private key for Service Provider.cer

$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($path)

$key = [Convert]::ToBase64String($cert.RawData)

# Create the new Tenant using the imported .CER file (match the name to the common name used to create the certificate)

$tenant = New-SCSPFTenant -Name “Tenant” -IssuerName “Tenant” –Key $key

# Import the System Center Virtual Machine Manager Cmdlets

Set-Executionpolicy remotesigned

Import-Module virtualmachinemanager

# Create a Tenant Admin role for in VMM the Tenant and Self-service Role in VMM for the a development group

$TARole = New-SCUserRole -Name Tenant -ID $tenant.Id -UserRoleProfile TenantAdmin -VMMServer VMM

$TenantSSU = New-SCSPFTenantUserRole -Name Development -Tenant $tenant

$vmmSSU = New-SCUserRole -Name Development -UserRoleProfile SelfServiceUser -ParentUserRole $TARole -ID $TenantSSU.ID

# In a greenfield scenario there is no stamp defined. We need to map the tenant to a stamp. If you created a stamp already you can skip this step. To create a stamp

New-SCSPFStamp -Name “hypervnu

# To map the tenant to a stamp we need to get the ID of the stamp. Run Get-SCSPFStamp and copy the ID of the stamp you want to use.

$stamp = Get-SCSPFStamp -ID c2627739-1fc7-4a00-b895-b3fdbbd56799

$tnnt = Get-SCSPFTenant -Name “Tenant

Set-SCSPFStamp -Stamp $stamp -Tenants $tnnt

New-SCSPFServer -Name “vmm” -ServerType 0 -Stamps $stamp

# The tenant needs to specify a URL in System Center 2012 SP1 App Controller to connect to System Center 2012 SP1 Service Provider Foundation. The URL requires the Tenant ID. To get the Tenant ID

Get-SCSPFTenant | ft id, name

Scenario 2 – Prepare System Center 2012 SP1 Service Provider Foundation with Windows Azure for Windows Server in place

This scenario resumes its configuration at the end of the previous part on Installing and configuring Windows Azure for Windows Server – Part 3. In this scenario stamps and tenants are already created by Windows Azure for Windows Server. This requires some changes to the PowerShell commands.

The Tenant Site in Windows Azure for Windows Server allows the tenant to upload a management certificate.

07 Upload certificate in Windows Azure for Windows Server

I uploaded the exported certificate (.CER file) and verified the settings in the System Center 2012 Service Provider Foundation Command Shell. Unfortunately, after the certificate is uploaded by the tenant, the certificate thumbprint is unknown in System Center 2012 SP1 Service Provider Foundation. Hopefully this will be resolved in future developments (maybe in the Windows Azure Pack).

For this scenario I created a user named marcvaneijk@tenant.com in Windows Azure for Windows Server. Open the VMs and Services tab in System Center VMM 2012 SP1 and verify that the tenant is created. Windows Azure for Windows Server constructs the name from the tenant name and the tenant ID.

08 VMs and Services

The following procedure will prepare the environment for connecting System Center 2012 SP1 App Controller from the tenant. The trickiest part was to map the certificate to the tenant.

# Get the name and the ID of the tenant

Get-SCSPFTenant | ft name, id

09 Get-SCSPFTenant

# Import the certificate (.CER file) provider by the Tenant

$path = “C:TenantCertsExport without private key for Service Provider.cer”

$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($path)

$key = [Convert]::ToBase64String($cert.RawData)

# Create a variable containing the Tenant

$tnnt = Get-SCSFPTenant -id f104f8f5-205b-4a27-a1a4-487d900c4cbf

# Create a Trusted Issuer by mapping the tenant to the imported certificate

New-SCSPFTrustedIssuer -Key $key -Name “Tenant” -Tenant $tnnt

# Import the System Center Virtual Machine Manager Cmdlets

Set-Executionpolicy remotesigned

Import-Module virtualmachinemanager

# Create a Tenant Admin role for the Tenant and Self-service Role for a development department that is mapped to the Tenant Admin role

$tenant = Get-SCSPFTenant -id f104f8f5-205b-4a27-a1a4-487d900c4cbf

$TARole = Get-SCUserRole -Name marcvaneijk@tenant.com_f104f8f5-205b-4a27-a1a4-487d900c4cbf -VMMServer VMM

$TenantSSU = New-SCSPFTenantUserRole -Name Tenant -Tenant $tenant

$vmmSSU = New-SCUserRole -Name Development -UserRoleProfile SelfServiceUser -ParentUserRole $TARole -ID $TenantSSU.ID

# The tenant needs to specify a URL in System Center 2012 SP1 App Controller to connect to System Center 2012 SP1 Service Provider Foundation. The URL requires the Tenant ID. To get the Tenant ID

Get-SCSPFTenant | ft name, id

Configuring System Center 2012 SP1 App Controller

After the Service Provider has prepared the hosting environment the tenant can configure System Center 2012 SP1 App Controller to connect to the hosted cloud.

Logon to System Center 2012 SP1 App Controller as a tenant domain administrator and open the overview tab. Select Add an external service provider in the Hosted Clouds section.

10 App Controller Overview

In the Add an external service provider foundation screen specify a name for the Service Provider in the connection name field. Optionally provide a description for the connection.

The service location field requires a URL in the following format.

https://<SPF full internet name>:8090/SC2012/vmm/Microsoft.Management.Odata.svc/<SPF Tenant ID provided by the service provider>

In this example we would enter the following URL in the service location field

https://spf.hyper-v.nu:8090/SC2012/vmm/Microsoft.Management.Odata.svc/f104f8f5-205b-4a27-a1a4-487d900c4cbf

In the certificate file field browse to the exported .PFX file that we created in the prerequisites section of this blog. In the password field enter the password that was used to encrypt the .PFX file.

11 Add an external service provider connection

After clicking OK the wizard will verify all prerequisites, connects to the service location, verifies the certificates, imports all objects (that tenant has access to) and creates the Self-service user role in System Center 2012 SP1 App Controller that we created in System Center 2012 SP1 Service Provider Foundation earlier.

You can now create a new User role in System Center 2012 SP1 App Controller and match it to the new Self-service role. Open the Settings > User Roles tab in System Center 2012 SP1 App Controller and select New.

In the general tab specify a descriptive name for the new user roles (in this example Development department). In the members tab add the domain groups or domain users that are member of the user role and should have access to the System Center VMM 2012 SP1 objects enabled by the service provider for this Self-service role. Finally enable the Service Provider Connection by selecting the Service provider and the Self-service role in the Scope tab and apply the settings.

Logon to System Center 2012 SP1 App Controller with a domain user account that is member of the Development department. The user only has access to the abstracted System Center VMM 2012 SP1 objects configured by the Service Provider.

More Information

What’s New in Microsoft System Center 2012 SP1 – App Controller: Managing Applications Across Cloud Environments

4 Comments

  1. June 11, 2013    

    What is the point of allowing for tenant to use AppController instead of Windows Azure for Windows Server portal to manage his VM ?

    • June 14, 2013    

      Hi Andrius, thanks for your comment.
      Microsoft has made great improvements on Windows Azure for Windows Server with their upcoming release of the Windows Azure Pack. But even with the R2 release of System Center 2012 App Controller this is still the only product that allows a single pane of glass for the private, hosted and public cloud. Support for the private cloud is added in Windows Azure Pack (with Active Directory support).
      But Windows Azure integration will most likely be added in future releases. In Windows Azure pack it is also not yet possible to work with a 1 to 1 mapping to service templates in VMM.
      As development will progress on future releases the answer on your question will change ;-)
      http://www.hyper-v.nu/archives/marcve/2013/04/will-windows-azure-for-windows-server-replace-system-center-app-controller/

  2. November 15, 2013    

    Can you please clarify the need of App Controller. As I understood, tenant can manage VMs using tenant site. What is the difference here.

    • November 15, 2013    

      Hi Vikram, see my previous comment for an answer.

  1. Installing and configuring System Center Service Provider Foundation on June 8, 2013 at 23:33

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>