Platform Services Controller Administration PDF
Platform Services Controller Administration PDF
Platform Services Controller Administration PDF
Controller Administration
Update 2
Modified on 26 AUG 2019
VMware vSphere 6.7
VMware ESXi 6.7
vCenter Server 6.7
Platform Services Controller Administration
You can find the most up-to-date technical documentation on the VMware website at:
https://docs.vmware.com/
VMware, Inc.
3401 Hillview Ave.
Palo Alto, CA 94304
www.vmware.com
©
Copyright 2009-2019 VMware, Inc. All rights reserved. Copyright and trademark information.
VMware, Inc. 2
Contents
Updated Information 8
VMware, Inc. 3
Platform Services Controller Administration
VMware, Inc. 4
Platform Services Controller Administration
Regenerate a New VMCA Root Certificate and Replace All Certificates 104
Make VMCA an Intermediate Certificate Authority (Certificate Manager) 106
Replace All Certificates with Custom Certificate (Certificate Manager) 112
Revert Last Performed Operation by Republishing Old Certificates 116
Reset All Certificates 117
Manual Certificate Replacement 117
Understanding Stopping and Starting of Services 117
Replace Existing VMCA-Signed Certificates With New VMCA-Signed Certificates 118
Use VMCA as an Intermediate Certificate Authority 130
Use Custom Certificates With vSphere 142
VMware, Inc. 5
About Platform Services Controller
Administration
®
The Platform Services Controller Administration documentation explains how the VMware Platform
Services Controller™ fits into your vSphere environment and helps you perform common tasks such as
certificate management and vCenter Single Sign-On configuration.
Platform Services Controller Administration explains how you can set up authentication with vCenter
Single Sign-On and how to manage certificates for vCenter Server and related services.
Getting Started with Platform Services Controller n vCenter Server and Platform Services Controller
deployment models. NOTE: This information changes with
each release of the product.
n Platform Services Controller services on Linux and
Windows.
n Managing Platform Services Controller services.
n Managing the Platform Services Controller appliance using
VAMI.
vSphere Authentication with vCenter Single Sign-On n Architecture of the authentication process.
n How to add identity sources so users in your domain can
authenticate.
n Two-factor authentication.
n Managing users, groups, and policies.
vSphere Security Certificates n Certificate model, and options for replacing certificates.
n Replace certificates from the UI (simple cases).
n Replace certificates using the Certificate Manager utility.
n Replace certificates using the CLI (complex situations).
n Certificate management CLI reference.
Related Documentation
A companion document, vSphere Security, describes available security features and the measures that
you can take to safeguard your environment from attack. That document also explains how you can set
up permissions, and includes a reference to privileges.
VMware, Inc. 6
Platform Services Controller Administration
In addition to these documents, VMware publishes the vSphere Security Configuration Guide (formerly
known as the Hardening Guide) for each release of vSphere, accessible at http://www.vmware.com/
security/hardening-guides.html. The vSphere Security Configuration Guide contains guidelines on
security settings that can or should be set by the customer, and security settings delivered by VMware
that should be audited by the customer to ensure that they are still set to default.
Intended Audience
This information is intended for administrators who want to configure Platform Services Controller and
associated services. The information is written for experienced Windows or Linux system administrators
who are familiar with virtual machine technology and data center operations.
Tasks for which the workflow differs significantly between the vSphere Client and the vSphere Web Client
have duplicate procedures that provide steps according to the respective client interface. The procedures
that relate to the vSphere Web Client, contain vSphere Web Client in the title.
Note In vSphere 6.7 Update 1, almost all of the vSphere Web Client functionality is implemented in the
vSphere Client. For an up-to-date list of any remaining unsupported functionality, see Functionality
Updates for the vSphere Client.
VMware, Inc. 7
Updated Information
This Platform Services Controller Administration document is updated with each release of the product or
when necessary.
This table provides the update history of the Platform Services Controller Administration documentation.
Revision Description
26 AUG 2019 n Corrected the location of the certool.cfg file in Changing the certool Configuration Options.
n Updated information about the use of the userPrincipalName attribute in Set Up RSA SecurID Authentication.
VMware, Inc. 8
Getting Started with Platform
Services Controller 1
The Platform Services Controller provides common infrastructure services to the vSphere environment.
Services include licensing, certificate management, and authentication with vCenter Single Sign-On.
Enhancements to the Platform Services Controller Interface
(http://link.brightcove.com/services/player/bcpid2296383276001?
bctid=ref:video_vsphere67_psc)
n Deployment Topologies with External Platform Services Controller Instances and High Availability
Before you deploy the vCenter Server Appliance or install vCenter Server for Windows, you must
determine the deployment model that is suitable for your environment. For each deployment or
installation, you must select one of the three deployment types.
VMware, Inc. 9
Platform Services Controller Administration
Table 1-1. vCenter Server and Platform Services Controller Deployment Types
Deployment Type Description
vCenter Server with an embedded Platform Services Controller All services that are bundled with the Platform Services
Controller are deployed together with the vCenter Server
services on the same virtual machine or physical server.
Platform Services Controller Only the services that are bundled with the Platform Services
Controller are deployed on the virtual machine or physical
server.
vCenter Server with an external Platform Services Controller Only the vCenter Server services are deployed on the virtual
(Requires external Platform Services Controller) machine or physical server.
You must register such a vCenter Server instance with a
Platform Services Controller instance that you previously
deployed or installed.
Note vCenter Server deployments using an external Platform Services Controller will not be supported
in a future vSphere release. Deploy or upgrade to a vCenter Server deployment using an embedded
Platform Services Controller. For more information, see the VMware Knowledge Base article http://
kb.vmware.com/kb/60229.
Starting with vSphere 6.5 Update 2, other instances of vCenter Server with an embedded Platform
Services Controller can be joined to enable enhanced linked mode.
Platform Services
Controller
vCenter Server
Installing vCenter Server with an embedded Platform Services Controller has the following advantages:
n The connection between vCenter Server and the Platform Services Controller is not over the network,
and vCenter Server is not prone to outages caused by connectivity and name resolution issues
between vCenter Server and the Platform Services Controller.
n If you install vCenter Server on Windows virtual machines or physical servers, you need fewer
Windows licenses.
You can configure the vCenter Server Appliance with an embedded Platform Services Controller in
vCenter High Availability configuration. For information, see vSphere Availability.
VMware, Inc. 10
Platform Services Controller Administration
Note vCenter Server deployments using an external Platform Services Controller will not be supported
in a future vSphere release. Deploy or upgrade to a vCenter Server deployment using an embedded
Platform Services Controller. For more information, see the VMware Knowledge Base article http://
kb.vmware.com/kb/60229.
You can register multiple vCenter Server instances with one common external Platform Services
Controller instance. The vCenter Server instances assume the vCenter Single Sign-On site of the
Platform Services Controller instance with which they are registered. All vCenter Server instances that are
registered with one common or different joined Platform Services Controller instances are connected in
Enhanced Linked Mode.
Figure 1-2. Example of Two vCenter Server Instances with a Common External Platform
Services Controller
Platform Services
Controller
Installing vCenter Server with an external Platform Services Controller has the following disadvantages:
n The connection between vCenter Server and Platform Services Controller might have connectivity
and name resolution issues.
n If you install vCenter Server on Windows virtual machines or physical servers, you need more
Microsoft Windows licenses.
For information about the Platform Services Controller and vCenter Server maximums, see the
Configuration Maximums documentation.
VMware, Inc. 11
Platform Services Controller Administration
For information about configuring the vCenter Server Appliance with an external Platform Services
Controller in vCenter High Availability configuration, see vSphere Availability.
Note After you deploy or install vCenter Server with an external Platform Services Controller, you can
reconfigure the deployment type and switch to vCenter Server with an embedded Platform Services
Controller.
Figure 1-3. Example of a Mixed Operating Systems Environment with an External Platform
Services Controller on Windows
Platform Services
Controller on Windows
Figure 1-4. Example of a Mixed Operating Systems Environment with an External Platform
Services Controller Appliance
Virtual Machine
Platform Services
Controller Appliance
Note To ensure easy manageability and maintenance, use only appliances or only Windows installations
of vCenter Server and Platform Services Controller.
VMware, Inc. 12
Platform Services Controller Administration
Note vCenter Server deployments using an external Platform Services Controller will not be supported
in a future vSphere release. Deploy or upgrade to a vCenter Server deployment using an embedded
Platform Services Controller. For more information, see Knowledge Base article KB 60229.
Load Balancer
You can use a third-party load balancer per site to configure Platform Services Controller high availability
with automatic failover for this site. For information about the maximum number of Platform Services
Controller instances behind a load balancer, see the Configuration Maximums documentation.
Important To configure Platform Services Controller high availability behind a load balancer, the
Platform Services Controller instances must be of the same operating system type. Mixed operating
systems Platform Services Controller instances behind a load balancer are unsupported.
The vCenter Server instances are connected to the load balancer. When a Platform Services Controller
instance stops responding, the load balancer automatically distributes the load among the other functional
Platform Services Controller instances without downtime.
VMware, Inc. 13
Platform Services Controller Administration
Your vCenter Single Sign-On domain might span multiple sites. To ensure Platform Services Controller
high availability with automatic failover throughout the domain, you must configure a separate load
balancer in each site.
When you join two or more Platform Services Controller instances in the same site with no load balancer,
you configure Platform Services Controller high availability with a manual failover for this site.
VMware, Inc. 14
Platform Services Controller Administration
When a Platform Services Controller instance stops responding, you must manually fail over the vCenter
Server instances that are registered to it. You fail over the instances by repointing them to other functional
Platform Services Controller instances within the same site. For information about how to repoint vCenter
Server instances to another external Platform Services Controller, see vCenter Server Installation and
Setup.
Note If your vCenter Single Sign-On domain includes three or more Platform Services Controller
instances, you can manually create a ring topology. A ring topology ensures Platform Services Controller
reliability when one of the instances fails. To create a ring topology, run the /usr/lib/vmware-
vmdir/bin/vdcrepadmin -f createagreement command against the first and last Platform Services
Controller instance that you have deployed.
Site 1 Site 2
Your vCenter Single Sign-On domain might span multiple sites. When no load balancer is available, you
can manually repoint vCenter Server from a failed to a functional Platform Services Controller within the
same site. For information about how to repoint vCenter Server instances to another external Platform
Services Controller, see vCenter Server Installation and Setup.
VMware, Inc. 15
Platform Services Controller Administration
The domain name is used by the VMware Directory Service (vmdir) for all Lightweight Directory Access
Protocol (LDAP) internal structuring.
With vSphere 6.0 and later, you can give your vSphere domain a unique name. To prevent authentication
conflicts, use a name that is not used by OpenLDAP, Microsoft Active Directory, and other directory
services.
Note You cannot change the domain to which a Platform Services Controller or vCenter Server instance
belongs.
After you specify the name of your domain, you can add users and groups. It usually makes more sense
to add an Active Directory or LDAP identity source and allow the users and groups in that identity source
to authenticate. You can also add vCenter Server or Platform Services Controller instances, or other
VMware products, such as vRealize Operations, to the domain.
Starting with vSphere 6.5, sites become important. During Platform Services Controller failover, the
vCenter Server instances are affinitized to a different Platform Services Controller in the same site. To
prevent your vCenter Server instances from being affinitized to a Platform Services Controller in a distant
geographic location, you can use multiple sites.
You are prompted for the site name when you install or upgrade a Platform Services Controller. See the
vCenter Server Installation and Setup documentation.
Key Capabilities
Platform Services Controller includes several services, discussed in Platform Services Controller
Services, and has the following key capabilities.
n Provisioning of vCenter Server components and ESXi hosts with VMware Certificate Manager
(VMCA) certificates by default
n Use of custom certificates, which are stored in the VMware Endpoint Certificate Store (VECS)
VMware, Inc. 16
Platform Services Controller Administration
Deployment Models
You can install Platform Services Controller on a Windows system or deploy the Platform Services
Controller appliance.
The deployment model depends on the version of Platform Services Controller that you are using. See
vCenter Server and Platform Services Controller Deployment Types.
Starting with vSphere 6.7 Update 1, if you have deployed or installed a vCenter Server instance with an
external Platform Services Controller and you want to convert it to a vCenter Server instance with an
embedded Platform Services Controller, you can replicate a new Platform Services Controller that is
embedded within the existing vCenter Server instance. See the vCenter Server Installation and Setup
documentation.
Starting with vSphere 6.7 Update 1, you can move a vCenter Server with an Embedded Platform
Services Controller from one vSphere domain to another vSphere domain. Services such as tagging and
licensing are retained and migrated to the new domain. See the vCenter Server Installation and Setup
documentation.
vSphere Client Web interface (HTML5-based client). The vSphere Client user
interface terminology, topology, and workflow are closely aligned
with the same aspects and elements of the vSphere Web Client
user interface.
vSphere Web Client Web interface for managing some of the services.
Certificate Management utility Command-line tool that supports CSR generation and certificate
replacement. See Managing Certificates with the vSphere
Certificate Manager Utility.
CLIs for managing Platform Services Controller services Set of commands for managing certificates, the VMware
Endpoint Certificate Store (VECS), and VMware Directory
Service (vmdir). See Chapter 4 Managing Services and
Certificates with CLI Commands.
VMware, Inc. 17
Platform Services Controller Administration
VMware, Inc. 18
Platform Services Controller Administration
vmonapi Start and stop vCenter Server services and monitor service API
VMware Lifecycle Manager API health. The vmware-vmon service is a centralized platform-
vmware-vmon independent service that manages the lifecycle of Platform
Services Controller and vCenter Server. Exposes APIs and CLIs
VMware Service Lifecycle Manager
to third-party applications.
pschealth Monitors the health and status of all core Platform Services
VMware Platform Services Controller Health Monitor Controller infrastructure services.
Procedure
1 Log in to a vCenter Server associated with the Platform Services Controller as a user with
administrator privileges in the local vCenter Single Sign-On domain (vsphere.local by default).
2 Select Administration and click the item that you want to manage.
Use the vSphere Client or CLIs instead of the vSphere Web Client to manage the following services.
n Certificates
VMware, Inc. 19
Platform Services Controller Administration
n Login banner
Procedure
1 Log in to a vCenter Server associated with the Platform Services Controller as a user with
administrator privileges in the local vCenter Single Sign-On domain (vsphere.local by default).
2 Select Administration and click the item that you want to manage.
Option Description
For example, you can use the certool utility to generate CSRs and to replace certificates, both for
scenarios with embedded Platform Services Controller and for scenarios with external Platform Services
Controller. See Managing Certificates with the vSphere Certificate Manager Utility.
Use the CLIs for management tasks that the Web interfaces do not support, or to create custom scripts
for your environment.
certool Generate and manage certificates and certool Initialization Commands Reference
keys. Part of VMCA.
sso-config Utility for configuring smart card Understanding vCenter Server Two-Factor
authentication. Authentication
service-control Command for starting, stopping, and Run this command to stop services before
listing services. running other CLI commands.
VMware, Inc. 20
Platform Services Controller Administration
Procedure
In most cases, you have to be the root or Administrator user. See Required Privileges for Running
CLIs for details.
The required privileges depend on the task that you want to perform. In some cases, you are
prompted for the password twice to safeguard sensitive information.
Linux /usr/lib/vmware-vmafd/bin/vecs-cli
/usr/lib/vmware-vmafd/bin/dir-cli
/usr/lib/vmware-vmca/bin/certool
/opt/vmware/bin
On Linux, the service-control command does not require that you
specify the path.
If you are using an environment with an embedded Platform Services Controller, you manage the one
appliance that includes both Platform Services Controller and vCenter Server. See vCenter Server
Appliance Configuration.
Table 1-5. Interfaces for Managing the Platform Services Controller Appliance
Interface Description
Platform Services Controller virtual appliance management Use this interface to reconfigure the system settings of a
interface (VAMI) Platform Services Controller deployment.
Platform Services Controller appliance shell Use this command-line interface to perform service
management operations on VMCA, VECS, and VMDIR. See
Managing Certificates with the vSphere Certificate Manager
Utility and Chapter 4 Managing Services and Certificates with
CLI Commands.
VMware, Inc. 21
Platform Services Controller Administration
In an environment with an embedded Platform Services Controller, you manage the appliances that
include both Platform Services Controller and vCenter Server.
Procedure
2 If a warning message about an untrusted SSL certificate appears, resolve the issue based on
company security policy and the Web browser that you are using.
3 Log in as root.
The default root password is the virtual appliance root password that you set when deploying the
virtual appliance.
You can see the System Information page of the Platform Services Controller Appliance Management
Interface.
Procedure
n If you have direct access to the appliance console, select Log in, and press Enter.
n To connect remotely, use SSH or another remote console connection to start a session to the
appliance.
3 Log in as root with the password that you set when you initially deployed the appliance.
VMware, Inc. 22
Platform Services Controller Administration
If you are using a Platform Services Controller instance that is installed on Windows, you can use the
domain to which that machine belongs.
Procedure
1 Using the vSphere Client, log in to a vCenter Server associated with the Platform Services Controller
as a user with administrator privileges in the local vCenter Single Sign-On domain (vsphere.local by
default).
2 Select Administration.
5 Click Join AD, specify the domain, optional organizational unit, and user name and password, and
click Join.
What to do next
To attach users and groups from the joined Active Directory domain, add the joined domain as a vCenter
Single Sign-On identity source. See Add or Edit a vCenter Single Sign-On Identity Source.
VMware, Inc. 23
vSphere Authentication with
vCenter Single Sign-On 2
vCenter Single Sign-On is an authentication broker and security token exchange infrastructure. When a
user can authenticate to vCenter Single Sign-On, that user receives a SAML token. Going forward, the
user can use the SAML token to authenticate to vCenter services. The user can then perform the actions
that user has privileges for.
Because traffic is encrypted for all communications, and because only authenticated users can perform
the actions that they have privileges for, your environment is secure.
Starting with vSphere 6.0, vCenter Single Sign-On is part of the Platform Services Controller. The
Platform Services Controller contains the shared services that support vCenter Server and vCenter
Server components. These services include vCenter Single Sign-On, VMware Certificate Authority, and
License Service. See vCenter Server Installation and Setup for details on the Platform Services
Controller.
For the initial handshake, users authenticate with a user name and password, and solution users
authenticate with a certificate. For information on replacing solution user certificates, see Chapter 3
vSphere Security Certificates.
The next step is authorizing the users who can authenticate to perform certain tasks. In most cases, you
assign vCenter Server privileges, usually by assigning the user to a group that has a role. vSphere
includes other permission models such as global permissions. See the vSphere Security documentation.
n Using vCenter Single Sign-On as the Identity Provider for Another Service Provider
VMware, Inc. 24
Platform Services Controller Administration
3 4
vCenter Single
Sign-On
Kerberos
5 vCenter
Server
CA
6
VMware
Directory
Service
1 A user logs in to the vSphere Client with a user name and password to access the vCenter Server
system or another vCenter service.
The user can also log in without a password and check the Use Windows session authentication
check box.
VMware, Inc. 25
Platform Services Controller Administration
2 The vSphere Client passes the login information to the vCenter Single Sign-On service, which checks
the SAML token of the vSphere Client. If the vSphere Client has a valid token, vCenter Single Sign-
On then checks whether the user is in the configured identity source (for example Active Directory).
n If only the user name is used, vCenter Single Sign-On checks in the default domain.
n If a domain name is included with the user name (DOMAIN\user1 or user1@DOMAIN), vCenter
Single Sign-On checks that domain.
3 If the user can authenticate to the identity source, vCenter Single Sign-On returns a token that
represents the user to the vSphere Client.
4 The vSphere Client passes the token to the vCenter Server system.
5 vCenter Server checks with the vCenter Single Sign-On server that the token is valid and not expired.
6 The vCenter Single Sign-On server returns the token to the vCenter Server system, using thevCenter
Server Authorization Framework to allow user access.
The user can now authenticate, and can view and modify any objects that the user's role has privileges
for.
Note Initially, each user is assigned the No Access role. A vCenter Server administrator must assign the
user at least to the Read Only role before the user can log in. See the vSphere Security documentation.
Solution User
1
3
vCenter Single
Sign-On
Kerberos 4
vCenter
Server
CA 2
VMware
Directory
Service
VMware, Inc. 26
Platform Services Controller Administration
2 The solution user is redirected to vCenter Single Sign-On. If the solution user is new to vCenter
Single Sign-On, it has to present a valid certificate.
3 If the certificate is valid, vCenter Single Sign-On assigns a SAML token (bearer token) to the solution
user. The token is signed by vCenter Single Sign-On.
4 The solution user is then redirected to vCenter Single Sign-On and can perform tasks based on its
permissions.
5 The next time the solution user has to authenticate, it can use the SAML token to log in to vCenter
Server.
By default, this handshake is automatic because VMCA provisions solution users with certificates during
startup. If company policy requires third-party CA-signed certificates, you can replace the solution user
certificates with third-party CA-signed certificates. If those certificates are valid, vCenter Single Sign-On
assigns a SAML token to the solution user. See Use Custom Certificates With vSphere.
Supported Encryption
AES encryption, which is the highest level of encryption, is supported. The supported encryption affects
security when vCenter Single Sign-On uses Active Directory as an identity source.
It also affects security any time an ESXi host or vCenter Server is joined to Active Directory.
During installation, the components are deployed as part an embedded deployment, or as part of the
Platform Services Controller.
STS (Security Token The STS service issues Security Assertion Markup Language (SAML)
Service) tokens. These security tokens represent the identity of a user in one of the
identity source types supported byvCenter Single Sign-On. The SAML
tokens allow both human users and solution users who authenticate
successfully to vCenter Single Sign-On to use any vCenter service that
vCenter Single Sign-On supports without authenticating again to each
service.
The vCenter Single Sign-On service signs all tokens with a signing
certificate, and stores the token signing certificate on disk. The certificate
for the service itself is also stored on disk.
Administration server The administration server allows users with administrator privileges to
vCenter Single Sign-On to configure the vCenter Single Sign-On server and
manage users and groups from the vSphere Web Client. Initially, only the
user administrator@your_domain_name has these privileges. In vSphere
5.5, this user was [email protected]. With vSphere 6.0, you can
VMware, Inc. 27
Platform Services Controller Administration
change the vSphere domain when you install vCenter Server or deploy the
vCenter Server Appliance with a new Platform Services Controller. Do not
name the domain name with your Microsoft Active Directory or OpenLDAP
domain name.
VMware Directory The VMware Directory service (vmdir) is associated with the domain you
Service (vmdir) specify during installation and is included in each embedded deployment
and on each Platform Services Controller. This service is a multi-tenanted,
multi-mastered directory service that makes an LDAP directory available on
port 389. The service still uses port 11711 for backward compatibility with
vSphere 5.5 and earlier systems.
Starting with vSphere 6.0, the VMware Directory Service stores not only
vCenter Single Sign-On information but also certificate information.
Authentication with vCenter Single Sign-On makes vSphere more secure because the vSphere software
components communicate with each other by using a secure token exchange mechanism, and all other
users also authenticate with vCenter Single Sign-On.
Starting with vSphere 6.0, vCenter Single Sign-On is either included in an embedded deployment, or part
of the Platform Services Controller. The Platform Services Controller contains all of the services that are
necessary for the communication between vSphere components including vCenter Single Sign-On,
VMware Certificate Authority, VMware Lookup Service, and the licensing service.
First installation If your installation is distributed, you must install the Platform Services
Controller before you install vCenter Server or deploy the vCenter Server
Appliance. For an embedded deployment the correct installation order
happens automatically.
VMware, Inc. 28
Platform Services Controller Administration
For detailed information about the deployment models, the advantages and disadvantages of each
deployment type, see vCenter Server Installation and Setup.
vCenter Single Sign-On authenticates both solution users and other users.
n Solution users represent a set of services in your vSphere environment. During installation, VMCA
assigns a certificate to each solution user by default. The solution user uses that certificate to
authenticate to vCenter Single Sign-On. vCenter Single Sign-On gives the solution user a SAML
token, and the solution user can then interact with other services in the environment.
n When other users log in to the environment, for example, from the vSphere Client, vCenter Single
Sign-On prompts for a user name and password. If vCenter Single Sign-On finds a user with those
credentials in the corresponding identity source, it assigns the user a SAML token. The user can now
access other services in the environment without being prompted to authenticate again.
Which objects the user can view, and what a user can do, is usually determined by vCenter Server
permission settings. vCenter Server administrators assign those permissions from the Permissions
interface in the vSphere Web Client or the vSphere Client, not through vCenter Single Sign-On. See
the vSphere Security documentation.
After installation, the administrator of the vCenter Single Sign-On domain, [email protected]
by default, has administrator access to both vCenter Single Sign-On and vCenter Server. That user can
then add identity sources, set the default identity source, and manage users and groups in the vCenter
Single Sign-On domain.
VMware, Inc. 29
Platform Services Controller Administration
All users that can authenticate to vCenter Single Sign-On can reset their password, even if the password
has expired, as long as they know the password. See Change Your vCenter Single Sign-On Password .
Only vCenter Single Sign-On administrators can reset the password for users who no longer have their
password.
Note When you change the password for your SDDC from the vSphere Client, the new password is not
synchronized with the password that is displayed on the Default vCenter Credentials page. That page
shows only the Default credentials. If you change the credentials, you are responsible for keeping track of
the new password. Contact Technical Support and request a password change.
To configure vCenter Single Sign-On and manage vCenter Single Sign-On users and groups, the user
[email protected] or a user in the vCenter Single Sign-On Administrators group must log in to
the vSphere Client . Upon authentication, that user can access the vCenter Single Sign-On administration
interface from the vSphere Client and manage identity sources and default domains, specify password
policies, and perform other administrative tasks.
Note You cannot rename the vCenter Single Sign-On administrator user, which is
[email protected] by default or administrator@mydomain if you specified a different domain
during installation. For improved security, consider creating additional named users in the vCenter Single
Sign-On domain and assigning them administrative privileges. You can then stop using the administrator
account.
ESXi Users
Standalone ESXi hosts are not integrated with vCenter Single Sign-On or with the Platform Services
Controller. See vSphere Security for information on adding an ESXi host to Active Directory.
If you create local ESXi users for a managed ESXi host with the VMware Host Client, vCLI, or PowerCLI,
vCenter Server is not aware those users. Creating local users can therefore result in confusion, especially
if you use the same user names. Users who can authenticate to vCenter Single Sign-On can view and
manage ESXi hosts if they have the corresponding permissions on the ESXi host object.
Note Manage permissions for ESXi hosts through vCenter Server if possible.
When a user logs in to a vCenter Server system from the vSphere Client, the login behavior depends on
whether the user is in the domain that is set as the default identity source.
n Users who are in the default domain can log in with their user name and password.
VMware, Inc. 30
Platform Services Controller Administration
n Users who are in a domain that has been added to vCenter Single Sign-On as an identity source but
is not the default domain can log in to vCenter Server but must specify the domain in one of the
following ways.
n Users who are in a domain that is not a vCenter Single Sign-On identity source cannot log in to
vCenter Server. If the domain that you add to vCenter Single Sign-On is part of a domain hierarchy,
Active Directory determines whether users of other domains in the hierarchy are authenticated or not.
If your environment includes an Active Directory hierarchy, see VMware Knowledge Base article 2064250
for details on supported and unsupported setups.
Note Starting with vSphere 6.0 Update 2, two-factor authentication is supported. See Understanding
vCenter Server Two-Factor Authentication.
For all objects in the vCenter Server hierarchy, you can assign permissions by pairing a user and a role
with the object. For example, you can select a resource pool and give a group of users read privileges to
that resource pool object by giving them the corresponding role.
For some services that are not managed by vCenter Server directly, membership in one of the vCenter
Single Sign-On groups determines the privileges. For example, a user who is a member of the
Administrator group can manage vCenter Single Sign-On. A user who is a member of the CAAdmins
group can manage the VMware Certificate Authority, and a user who is in the
LicenseService.Administrators group can manage licenses.
Note Many of these groups are internal to vsphere.local or give users high-level administrative
privileges. Add users to any of these groups only after careful consideration of the risks.
Note Do not delete any of the predefined groups in the vsphere.local domain. If you do, errors with
authentication or certificate provisioning might result.
SolutionUsers Solution users group vCenter services. Each solution user authenticates individually to
vCenter Single Sign-On with a certificate. By default, VMCA provisions solution users
with certificates. Do not add members to this group explicitly.
VMware, Inc. 31
Platform Services Controller Administration
CAAdmins Members of the CAAdmins group have administrator privileges for VMCA. Do not add
members to this group unless you have compelling reasons.
DCAdmins Members of the DCAdmins group can perform Domain Controller Administrator actions
on VMware Directory Service.
Note Do not manage the domain controller directly. Instead, use the vmdir CLI or
vSphere Client to perform corresponding tasks.
SystemConfiguration.BashShellAdministr This group is available only for vCenter Server Appliance deployments.
ators A user in this group can enable and disable access to the BASH shell. By default a user
who connects to the vCenter Server Appliance with SSH can access only commands in
the restricted shell. Users who are in this group can access the BASH shell.
ActAsUsers Members of Act-As Users are allowed to get Act-As tokens from vCenter Single Sign-
On.
ExternalIPDUsers This internal group is not used by vSphere. VMware vCloud Air requires this group.
SystemConfiguration.Administrators Members of the SystemConfiguration.Administrators group can view and manage the
system configuration in the vSphere Client. These users can view, start and restart
services, troubleshoot services, see the available nodes, and manage those nodes.
DCClients This group is used internally to allow the management node access to data in VMware
Directory Service.
Note Do not modify this group. Any changes might compromise your certificate
infrastructure.
Administrators Administrators of the VMware Directory Service (vmdir). Members of this group can
perform vCenter Single Sign-On administration tasks. Do not add members to this
group unless you have compelling reasons and understand the consequences.
VMware, Inc. 32
Platform Services Controller Administration
You configure vCenter Single Sign-On from the vSphere Client. To configure vCenter Single Sign-On, you
must have vCenter Single Sign-On administrator privileges. Having vCenter Single Sign-On administrator
privileges is different from having the Administrator role on vCenter Server or ESXi. In a new installation,
only the vCenter Single Sign-On administrator ([email protected] by default) can authenticate
to vCenter Single Sign-On.
An administrator can add identity sources, set the default identity source, and create users and groups in
the vsphere.local identity source.
The user and group data is stored in Active Directory, OpenLDAP, or locally to the operating system of the
machine where vCenter Single Sign-On is installed. After installation, every instance of vCenter Single
Sign-On has the identity source your_domain_name, for example vsphere.local. This identity source is
internal to vCenter Single Sign-On.
VMware, Inc. 33
Platform Services Controller Administration
vCenter Server versions earlier than version 5.1 supported Active Directory and local operating system
users as user repositories. As a result, local operating system users were always able to authenticate to
the vCenter Server system. vCenter Server version 5.1 and version 5.5 uses vCenter Single Sign-On for
authentication. See the vSphere 5.1 documentation for a list of supported identity sources with vCenter
Single Sign-On 5.1. vCenter Single Sign-On 5.5 supports the following types of user repositories as
identity sources, but supports only one default identity source.
n Active Directory versions 2003 and later. Shown as Active Directory (Integrated Windows
Authentication) in the vSphere Client. vCenter Single Sign-On allows you to specify a single Active
Directory domain as an identity source. The domain can have child domains or be a forest root
domain. VMware KB article 2064250 discusses Microsoft Active Directory Trusts supported with
vCenter Single Sign-On.
n Active Directory over LDAP. vCenter Single Sign-On supports multiple Active Directory over LDAP
identity sources. This identity source type is included for compatibility with the vCenter Single Sign-
On service included with vSphere 5.1. Shown as Active Directory as an LDAP Server in the
vSphere Client.
n OpenLDAP versions 2.4 and later. vCenter Single Sign-On supports multiple OpenLDAP identity
sources. Shown as OpenLDAP in the vSphere Client.
n Local operating system users. Local operating system users are local to the operating system where
the vCenter Single Sign-On server is running. The local operating system identity source exists only
in basic vCenter Single Sign-On server deployments and is not available in deployments with multiple
vCenter Single Sign-On instances. Only one local operating system identity source is allowed. Shown
as localos in the vSphere Client.
Note Do not use local operating system users if the Platform Services Controller is on a different
machine than the vCenter Server system. Using local operating system users might make sense in
an embedded deployment but is not recommended.
n vCenter Single Sign-On system users. Exactly one system identity source is created when you install
vCenter Single Sign-On.
Note At any time, only one default domain exists. If a user from a non-default domain logs in, that user
must add the domain name (DOMAIN\user) to authenticate successfully.
When a user logs in to a vCenter Server system from the vSphere Client, the login behavior depends on
whether the user is in the domain that is set as the default identity source.
n Users who are in the default domain can log in with their user name and password.
VMware, Inc. 34
Platform Services Controller Administration
n Users who are in a domain that has been added to vCenter Single Sign-On as an identity source but
is not the default domain can log in to vCenter Server but must specify the domain in one of the
following ways.
n Users who are in a domain that is not a vCenter Single Sign-On identity source cannot log in to
vCenter Server. If the domain that you add to vCenter Single Sign-On is part of a domain hierarchy,
Active Directory determines whether users of other domains in the hierarchy are authenticated or not.
Procedure
1 Log in with the vSphere Client to the vCenter Server connected to the Platform Services Controller.
2 Specify the user name and password for [email protected] or another member of the
vCenter Single Sign-On Administrators group.
4 Click Identity Sources, select an identity source, and click Set as Default.
In the domain display, the default domain shows (default) in the Domain column.
An identity source can be a native Active Directory (Integrated Windows Authentication) domain or an
OpenLDAP directory service. For backward compatibility, Active Directory as an LDAP Server is also
available. See Identity Sources for vCenter Server with vCenter Single Sign-On.
Immediately after installation, the following default identity sources and users are available:
localos All local operating system users. If you are upgrading, those localos users
who can already authenticate can continue to authenticate. Using the
localos identity source does not make sense in environments that use an
embedded Platform Services Controller.
VMware, Inc. 35
Platform Services Controller Administration
Prerequisites
If you are adding an Active Directory identity source, the vCenter Server Appliance or the vCenter Server
Windows machine must be in the Active Directory domain. See Add a Platform Services Controller
Appliance to an Active Directory Domain.
Procedure
1 Log in with the vSphere Client to the vCenter Server connected to the Platform Services Controller.
2 Specify the user name and password for [email protected] or another member of the
vCenter Single Sign-On Administrators group.
5 Select the identity source and enter the identity source settings.
Option Description
Active Directory (Integrated Windows Use this option for native Active Directory implementations. The machine on which
Authentication) the vCenter Single Sign-On service is running must be in an Active Directory
domain if you want to use this option.
See Active Directory Identity Source Settings.
Active Directory over LDAP This option is available for backward compatibility. It requires that you specify the
domain controller and other information. See Active Directory LDAP Server and
OpenLDAP Server Identity Source Settings.
OpenLDAP Use this option for an OpenLDAP identity source. See Active Directory LDAP
Server and OpenLDAP Server Identity Source Settings.
Local operating system of SSO server Use this option for the SSO server's local operating system.
Note If the user account is locked or disabled, authentications and group and user searches in the
Active Directory domain fail. The user account must have read-only access over the User and Group
OU, and must be able to read user and group attributes. Active Directory provides this access by
default. Use a special service user for improved security.
6 Click Add.
What to do next
When an identity source is added, all users can be authenticated but have the No access role. A user
with vCenter Server Modify.permissions privileges can give users or groups of users privileges. The
privileges enable the users or groups to log in to vCenter Server and to view and manage objects. You
can configure permissions so that users and groups from a joined Active Directory domain can access the
vCenter Server components. See the vSphere Security documentation.
VMware, Inc. 36
Platform Services Controller Administration
n For a Windows installation, join the Windows machine to the Active Directory domain.
n For a vCenter Server Appliance, follow the instructions in the vCenter Server Appliance Configuration
documentation.
Note Active Directory (Integrated Windows Authentication) always uses the root of the Active Directory
domain forest. To configure your Integrated Windows Authentication identity source with a child domain
within your Active Directory forest, see the VMware knowledge base article at http://kb.vmware.com/kb/
2070433.
Select Use machine account to speed up configuration. If you expect to rename the local machine on
which vCenter Single Sign-On runs, specifying an SPN explicitly is preferable.
Note In vSphere 5.5, vCenter Single Sign-On uses the machine account even if you specify the SPN.
See the VMware knowledge base article at http://kb.vmware.com/kb/2087978.
Domain name FQDN of the domain name, for example, mydomain.com. Do not
provide an IP address. This domain name must be DNS-
resolvable by the vCenter Server system. If you are using a
vCenter Server Appliance, use the information on configuring
network settings to update the DNS server settings.
Use machine account Select this option to use the local machine account as the SPN.
When you select this option, you specify only the domain name.
Do not select this option if you expect to rename this machine.
Use Service Principal Name (SPN) Select this option if you expect to rename the local machine. You
must specify an SPN, a user who can authenticate with the
identity source, and a password for the user.
VMware, Inc. 37
Platform Services Controller Administration
Service Principal Name (SPN) SPN that helps Kerberos to identify the Active Directory service.
Include the domain in the name, for example, STS/
example.com.
The SPN must be unique across the domain. Running setspn -
S checks that no duplicate is created. See the Microsoft
documentation for information on setspn.
User Principal Name (UPN) Name and password of a user who can authenticate with this
Password identity source. Use the email address format, for example,
[email protected]. You can verify the User Principal Name
with the Active Directory Service Interfaces Editor (ADSI Edit).
Active Directory LDAP Server and OpenLDAP Server Identity Source Settings
The Active Directory as an LDAP Server identity source is available for backward compatibility. Use the
Active Directory (Integrated Windows Authentication) option for a setup that requires less input. The
OpenLDAP Server identity source is available for environments that use OpenLDAP.
If you are configuring an OpenLDAP identity source, see the VMware knowledge base article at http://
kb.vmware.com/kb/2064977 for additional requirements.
Domain alias For Active Directory identity sources, the domain's NetBIOS
name. Add the NetBIOS name of the Active Directory domain as
an alias of the identity source if you are using SSPI
authentications.
For OpenLDAP identity sources, the domain name in capital
letters is added if you do not specify an alias.
VMware, Inc. 38
Platform Services Controller Administration
Table 2-3. Active Directory as an LDAP Server and OpenLDAP Settings (continued)
Option Description
Primary Server URL Primary domain controller LDAP server for the domain.
Use the format ldap://hostname:port or
ldaps://hostname:port. The port is typically 389 for LDAP
connections and 636 for LDAPS connections. For Active
Directory multi-domain controller deployments, the port is
typically 3268 for LDAP and 3269 for LDAPS.
A certificate that establishes trust for the LDAPS endpoint of the
Active Directory server is required when you use ldaps:// in
the primary or secondary LDAP URL.
Secondary server URL Address of a secondary domain controller LDAP server that is
used for failover.
SSL certificates If you want to use LDAPS with your Active Directory LDAP
Server or OpenLDAP Server identity source, click Browse to
choose a certificate.
Using SSPI speeds up the login process for the user who is currently logged in to a machine.
Prerequisites
n Join the Platform Services Controller appliance or the Windows machine on which Platform Services
Controller is running to an Active Directory domain. See Add a Platform Services Controller Appliance
to an Active Directory Domain.
n Verify that the domain is set up properly. See the VMware knowledge base article at http://
kb.vmware.com/kb/2064250.
n If you are using vSphere 6.0 and earlier, verify that the Client Integration Plug-in is installed.
n If you are using vSphere 6.5 and later, verify that the Enhanced Authentication Plug-In is installed.
See vCenter Server Installation and Setup.
Procedure
n If the Active Directory domain is the default identity source, log in with your user name, for
example jlee.
VMware, Inc. 39
Platform Services Controller Administration
Smart card Smart card authentication allows access only to users who attach a
authentication physical card to the USB drive of the computer that they log in to. An
example is Common Access Card (CAC) authentication.
The administrator can deploy the PKI so that the smart card certificates are
the only client certificates that the CA issues. For such deployments, only
smart card certificates are presented to the user. The user selects a
certificate, and is prompted for a PIN. Only users who have both the
physical card and the PIN that matches the certificate can log in.
RSA SecurID For RSA SecurID authentication, your environment must include a correctly
Authentication configured RSA Authentication Manager. If the Platform Services Controller
is configured to point to the RSA server, and if RSA SecurID Authentication
is enabled, users can log in with their user name and token.
See the two vSphere Blog posts about RSA SecurID setup for details.
Note vCenter Single Sign-On supports only native SecurID. It does not
support RADIUS authentication.
n For smart card authentication, you can perform the vCenter Single Sign-On setup from the vSphere
Client or by using sso-config. Setup includes enabling smart card authentication and configuring
certificate revocation policies.
n For RSA SecurID, you use the sso-config script to configure RSA Authentication Manager for the
domain, and to enable RSA token authentication. You cannot configure RSA SecurID authentication
from the vSphere Client. However, if you enable RSA SecurID, that authentication method appears in
the vSphere Client.
VMware, Inc. 40
Platform Services Controller Administration
Users who log in to a vCenter Server or Platform Services Controller system are prompted to authenticate
with a smart card and PIN combination, as follows.
1 When the user inserts the smart card into the smart card reader, vCenter Single Sign-On reads the
certificates on the card.
2 vCenter Single Sign-On prompts the user to select a certificate, and then prompts the user for the PIN
for that certificate.
3 vCenter Single Sign-On checks whether the certificate on the smart card is known and whether the
PIN is correct. If revocation checking is turned on, vCenter Single Sign-On also checks whether the
certificate is revoked.
4 If the certificate is known, and is not a revoked certificate, the user is authenticated and can then
perform tasks that the user has permissions for.
Note It usually makes sense to leave user name and password authentication enabled during testing.
After testing is complete, disable user name and password authentication and enable smart card
authentication. Subsequently, the vSphere Client and the vSphere Web Client allow only smart card login.
Only users with root or administrator privileges on the machine can reenable user name and password
authentication by logging in to the Platform Services Controller directly.
How you set up smart card authentication depends on the version of vSphere that you are using.
6.0 Update 2 1 Set up the Tomcat server. vSphere 6.0 documentation center.
Later versions of vSphere 2 Enable and configure smart card
6.0 authentication.
6.5 and later 1 Set up the reverse proxy. Configure the Reverse Proxy to Request Client
2 Enable and configure smart card Certificates
authentication. Use the Command Line to Manage Smart Card
Authentication
Manage Smart Card Authentication
VMware, Inc. 41
Platform Services Controller Administration
Prerequisites
Procedure
OS Description
This store will contain the trusted issuing CA's certificates for client certificate. The client here is the
browser from which the smart card process prompts the end user for information.
The following example shows how you create a certificate store on the Platform Services Controller
appliance.
cd /usr/lib/vmware-sso/
openssl x509 -inform PEM -in xyzCompanySmartCardSigningCA.cer > /usr/lib/vmware-sso/vmware-sts/
conf/clienttrustCA.pem
cd /usr/lib/vmware-sso/
openssl x509 -inform PEM -in xyzCompanySmartCardSigningCA.cer >> /usr/lib/vmware-sso/vmware-sts/
conf/clienttrustCA.pem
3 Make a backup of the config.xml file that includes the reverse proxy definition, and open
config.xml in an editor.
OS Description
Appliance /etc/vmware-rhttpproxy/config.xml
Windows C:\ProgramData\VMware\vCenterServer\cfg\vmware-rhttpproxy
\config.xml
VMware, Inc. 42
Platform Services Controller Administration
<http>
<maxConnections> 2048 </maxConnections>
<requestClientCertificate>true</requestClientCertificate>
<clientCertificateMaxSize>4096</clientCertificateMaxSize>
<clientCAListFile>/usr/lib/vmware-sso/vmware-sts/conf/clienttrustCA.pem</clientCAListFile>
</http>
The config.xml file includes some of these elements. Uncomment, update, or add the elements as
needed.
OS Description
Windows Restart the operating system, or restart the VMware HTTP Reverse Proxy by
following these steps:
a Open an elevated command prompt.
b Run the following commands:
Linux /opt/vmware/bin/sso-config.sh
Configuration of supported authentication types and revocation settings is stored in VMware Directory
Service and replicated across all Platform Services Controller instances in a vCenter Single Sign-On
domain.
If user name and password authentication are disabled, and if problems occur with smart card
authentication, users cannot log in. In that case, a root or administrator user can turn on user name and
password authentication from the Platform Services Controller command line. The following command
enables user name and password authentication.
VMware, Inc. 43
Platform Services Controller Administration
OS Command
Windows
sso-config.bat -set_authn_policy
-pwdAuthn true -t <tenant_name>
Linux
sso-config.sh -set_authn_policy -pwdAuthn true
-t <tenant_name>
If you use OCSP for revocation check, you can rely on the default OCSP specified in the smart card
certificate AIA extension. You can also override the default and configure one or more alternative OCSP
responders. For example, you can set up OCSP responders that are local to the vCenter Single Sign-On
site to process the revocation check request.
Note If your certificate does not have OCSP defined, enable CRL (certificate revocation list) instead.
Prerequisites
n Verify that your environment uses Platform Services Controller version 6.5 or later, and that you use
vCenter Server version 6.0 or later. Platform Services Controller version 6.0 Update 2 supports smart
card authentication, but the setup procedure is different.
n Verify that an enterprise Public Key Infrastructure (PKI) is set up in your environment, and that
certificates meet the following requirements:
n A User Principal Name (UPN) must correspond to an Active Directory account in the Subject
Alternative Name (SAN) extension.
n The certificate must specify Client Authentication in the Application Policy or Enhanced Key
Usage field or the browser does not show the certificate.
n Verify that the Platform Services Controller certificate is trusted by the end user's workstation.
Otherwise, the browser does not attempt authentication.
n Assign the vCenter Server Administrator role to one or more users in the Active Directory identity
source. Those users can then perform management tasks because they can authenticate and they
have vCenter Server administrator privileges.
n Set up the reverse proxy and restart the physical or virtual machine.
VMware, Inc. 44
Platform Services Controller Administration
Procedure
1 Obtain the certificates and copy them to a folder that the sso-config utility can see.
Option Description
Windows Log in to the Platform Services Controller Windows installation and use WinSCP or
a similar utility to copy the files.
shell
chsh -s "/bin/bash" root
2 To enable smart cart authentication for VMware Directory Service (vmdir), run the following
command.
For example:
Separate multiple certificates with commas, but do not put spaces after the comma.
4 (Optional) To set a certificate policies white list, run the following command.
This white list specifies object IDs of policies that are allowed in the certificate's certificate policy
extension. An X509 certificate can have a Certificate Policy extension.
VMware, Inc. 45
Platform Services Controller Administration
b If the OCSP responder link is not provided by the AIA extension of the certificates, provide the
overriding OCSP responder URL and OCSP authority certificate.
The alternative OCSP is configured for each vCenter Single Sign-On site. You can specify more
than one alternative OCSP responder for your vCenter Single Sign-On site to allow for failover.
Note The configuration is applied to the current vCenter Single Sign-On site by default. Specify
the siteID parameter only if you configure alternative OCSP for other vCenter Single Sign-On
sites.
c To display the current alternative OCSP responder settings, run this command.
d To remove the current alternative OCSP responder settings, run this command.
VMware, Inc. 46
Platform Services Controller Administration
If smart card authentication is enabled and other authentication methods are disabled, users are then
required to log in using smart card authentication.
If user name and password authentication are disabled, and if problems occur with smart card
authentication, users cannot log in. In that case, a root or administrator user can turn on user name and
password authentication from the Platform Services Controller command line. The following command
enables user name and password authentication.
OS Command
Windows
sso-config.bat -set_authn_policy
-pwdAuthn true -t <tenant_name>
Linux
sso-config.sh -set_authn_policy -pwdAuthn true
-t <tenant_name>
Prerequisites
n Verify that your environment uses Platform Services Controller version 6.5 or later, and that you use
vCenter Server version 6.0 or later. Platform Services Controller version 6.0 Update 2 supports smart
card authentication, but the setup procedure is different.
n Verify that an enterprise Public Key Infrastructure (PKI) is set up in your environment, and that
certificates meet the following requirements:
n A User Principal Name (UPN) must correspond to an Active Directory account in the Subject
Alternative Name (SAN) extension.
n The certificate must specify Client Authentication in the Application Policy or Enhanced Key
Usage field or the browser does not show the certificate.
n Verify that the Platform Services Controller certificate is trusted by the end user's Workstation.
Otherwise, the browser does not attempt authentication.
n Assign the vCenter Server Administrator role to one or more users in the Active Directory identity
source. Those users can then perform management tasks because they can authenticate and they
have vCenter Server administrator privileges.
VMware, Inc. 47
Platform Services Controller Administration
n Set up the reverse proxy and restart the physical or virtual machine.
Procedure
1 Obtain the certificates and copy them to a folder that the sso-config utility can see.
Option Description
Windows Log in to the Platform Services Controller Windows installation and use WinSCP or
a similar utility to copy the files.
shell
chsh -s "/bin/bash" root
csh -s "bin/appliance/sh" root
2 Log in with the vSphere Client to the vCenter Server connected to the Platform Services Controller.
3 Specify the user name and password for [email protected] or another member of the
vCenter Single Sign-On Administrators group.
You can choose smart card authentication by itself, or both smart card authentication and password
and Windows session authentication.
You cannot enable or disable RSA SecurID authentication from this Web interface. However, if RSA
SecurID has been enabled from the command line, the status appears in the Web interface.
7 Under the Trusted CA certificates tab, click Add, and click Browse.
VMware, Inc. 48
Platform Services Controller Administration
What to do next
n If your OCSP response is issued by a different CA than the signing CA of the smart card, provide the
OCSP signing CA certificate.
n You can configure one or more local OCSP responders for each Platform Services Controller site in a
multi-site deployment. You can configure these alternative OCSP responders using the CLI. See Use
the Command Line to Manage Smart Card Authentication.
You can customize the behavior by using the vSphere Client or by using the sso-config script. The
settings that you select depend in part on what the CA supports.
n If revocation checking is disabled, vCenter Single Sign-On ignores any CRL or OCSP settings.
vCenter Single Sign-On does not perform checks on any certificates.
n If revocation checking is enabled, the recommended setup depends on the PKI setup.
OCSP only If the issuing CA supports an OCSP responder, enable OCSP and
disable CRL as failover for OCSP.
CRL only If the issuing CA does not support OSCP, enable CRL checking and
disable OSCP checking.
Both OSCP and CRL If the issuing CA supports both an OCSP responder and a CRL, vCenter
Single Sign-On checks the OCSP responder first. If the responder
returns an unknown status or is not available, vCenter Single Sign-On
checks the CRL. For this case, enable both OCSP checking and CRL
checking, and enable CRL as failover for OCSP.
n If revocation checking is enabled, advanced users can specify the following additional settings.
OSCP URL By default, vCenter Single Sign-On checks the location of the OCSP
responder that is defined in the certificate being validated. If the
Authority Information Access extension is absent from the certificate or if
you want to override it, you can explicitly specify a location.
Use CRL from By default, vCenter Single Sign-On checks the location of the CRL that
certificate is defined in the certificate being validated. Disable this option if the CRL
Distribution Point extension is absent from the certificate or if you want
to override the default.
CRL location Use this property if you disable Use CRL from certificate and you want
to specify a location (file or HTTP URL) where the CRL is located.
You can further limit which certificates vCenter Single Sign-On accepts by adding a certificate policy.
VMware, Inc. 49
Platform Services Controller Administration
Prerequisites
n Verify that your environment uses Platform Services Controller version 6.5 or later, and that you use
vCenter Server version 6.0 or later. Platform Services Controller version 6.0 Update 2 supports smart
card authentication, but the setup procedure is different.
n Verify that an enterprise Public Key Infrastructure (PKI) is set up in your environment, and that
certificates meet the following requirements:
n A User Principal Name (UPN) must correspond to an Active Directory account in the Subject
Alternative Name (SAN) extension.
n The certificate must specify Client Authentication in the Application Policy or Enhanced Key
Usage field or the browser does not show the certificate.
n Verify that the Platform Services Controller certificate is trusted by the end user's workstation.
Otherwise, the browser does not attempt authentication.
n Assign the vCenter Server Administrator role to one or more users in the Active Directory identity
source. Those users can then perform management tasks because they can authenticate and they
have vCenter Server administrator privileges.
Procedure
1 Log in with the vSphere Client to the vCenter Server connected to the Platform Services Controller.
2 Specify the user name and password for [email protected] or another member of the
vCenter Single Sign-On Administrators group.
5 Click Certificate revocation and click Edit to enable or disable revocation checking.
6 If certificate policies are in effect in your environment, you can add a policy in the Certificate policies
pane.
VMware, Inc. 50
Platform Services Controller Administration
See the two vSphere Blog posts about RSA SecurID setup for details.
Note RSA Authentication Manager requires that the user ID is a unique identifier that uses 1 to 255
ASCII characters. The characters ampersand (&), percent (%), greater than (>), less than (<), and single
quote (`) are not allowed.
Prerequisites
n When configuring RSA SecurID, vCenter Single Sign-On (SSO) supports the use of User Principal
Name (userPrincipalName attribute) as the user ID only when Integrated Windows Authentication
(IWA) is configured as an identity source for RSA users.
n Verify that your environment uses Platform Services Controller version 6.5 or later, and that you use
vCenter Server version 6.0 or later. Platform Services Controller version 6.0 Update 2 supports smart
card authentication, but the setup procedure is different.
n Verify that your environment has a correctly configured RSA Authentication Manager and that users
have RSA tokens. RSA Authentication Manager version 8.0 or later is required.
n Verify that the identity source that RSA Manager uses has been added to vCenter Single Sign-On.
See Add or Edit a vCenter Single Sign-On Identity Source.
n Verify that the RSA Authentication Manager system can resolve the Platform Services Controller host
name, and that the Platform Services Controller system can resolve the RSA Authentication Manager
host name.
n Export the sdconf.rec file from the RSA Manager by selecting Access > Authentication Agents >
Generate configuration file. Decompress the resulting AM_Config.zip file to find the sdconf.rec
file.
Procedure
Option Description
Appliance /opt/vmware/bin
tenantName is the name of the vCenter Single Sign-On domain, vsphere.local by default.
VMware, Inc. 51
Platform Services Controller Administration
4 To configure the environment so that the tenant at the current site uses the RSA site, run the following
command.
For example:
Option Description
siteID Optional Platform Services Controller site ID. Platform Services Controller supports
one RSA Authentication Manager instance or cluster per site. If you do not
explicitly specify this option, the RSA configuration is for the current Platform
Services Controller site. Use this option only if you are adding a different site.
sdConfFile Copy of the sdconf.rec file that was downloaded from RSA Manager and
includes configuration information for the RSA Manager, such as the IP address.
5 (Optional) To change the tenant configuration to nondefault values, run the following command.
6 (Optional) If your identity source is not using the User Principal Name as the user ID, set up the
identity source userID attribute. (Supported with Active Directory over LDAP identity sources only.)
The userID attribute determines which LDAP attribute is used as the RSA userID.
For example:
VMware, Inc. 52
Platform Services Controller Administration
If user name and password authentication is disabled and RSA authentication is enabled, users must log
in with their user name and RSA token. User name and password login is no longer possible.
Procedure
1 Log in with the vSphere Client to the vCenter Server connected to the Platform Services Controller.
2 Specify the user name and password for [email protected] or another member of the
vCenter Single Sign-On Administrators group.
Option Description
Show login message Toggle on Show login message to enable the login message. You cannot make
changes to the login message unless you toggle on this switch.
Login message Title of the message. By default, when Consent checkbox is toggled on, the login
message text is I agree to Terms and Conditions. You must replace Terms and
Conditions with your own text. If the Consent checkbox is toggled off, then Login
message appears, over which you enter your message.
Consent checkbox Toggle on Consent checkbox to require that the user clicks a check box before
logging in. You can also display a message without a check box.
Details of login message Message that the user sees when clicking the login message, for example, the text
of the terms and conditions. You must enter some details in this text box.
6 Click Save.
VMware, Inc. 53
Platform Services Controller Administration
SAML 2.0 protocol. After the federation is set up, the service provider grants access to a user if that user
can authenticate to vCenter Single Sign-On.
Note vCenter Single Sign-On can be the IDP to other SPs.vCenter Single Sign-On cannot be an SP that
uses another IDP.
A registered SAML service provider can grant access to a user that already has a live session, that is, a
user that is logged in to the identity provider. For example, vRealize Automation 7.0 and later supports
vCenter Single Sign-On as an identity provider. You can set up a federation from vCenter Single Sign-On
and from vRealize Automation. After that, vCenter Single Sign-On can perform the authentication when
you log in to vRealize Automation.
To join a SAML service provider to the identity federation, you have to set up trust between the SP and
the IDP by exchanging SAML metadata between them.
You have to perform integration tasks for both vCenter Single Sign-On and the service that is using
vCenter Single Sign-On.
You can use the vSphere Client interface to vCenter Single Sign-On to export the IDP metadata, and to
import the metadate from the SP. If you are using vRealize Automation as the SP, see the vRealize
Automation documentation for details on exporting the SP metadata and importing the IDP metadata.
Note The service must fully support the SAML 2.0 standard or integration does not work.
Prerequisites
The target service must fully support the SAML 2.0 standard and the SP metadata must have the
SPSSODescriptor element.
If the metadata do not follow the SAML 2.0 metadata schema precisely, you might have to edit the
metadata before you import it. For example, if you are using an Active Directory Federation Services
(ADFS) SAML service provider, you have to edit the metadata before you can import them. Remove the
following non-standard elements:
fed:ApplicationServiceType
fed:SecurityTokenServiceType
Procedure
VMware, Inc. 54
Platform Services Controller Administration
2 Log in with the vSphere Web Client to the vCenter Server connected to the Platform Services
Controller.
b In the Metadata from your SAML service provider dialog box, import the metadata by pasting
the XML string or by importing a file.
a In the Metadata for your SAML service provider text box, click Download.
6 Log in to the SAML SP, for example VMware vRealize Automation 7.0, and follow the SP instructions
to add the vCenter Single Sign-On metadata to that service provider.
See the vRealize Automation documentation for details on importing the metadata into that product.
Users present their primary credentials to the STS interface to acquire SAML tokens. The primary
credential depends on the type of user.
User User name and password available in a vCenter Single Sign-On identity
source.
STS authenticates the user based on the primary credentials, and constructs a SAML token that contains
user attributes. STS signs the SAML token with its STS signing certificate, and assigns the token to the
user. By default, the STS signing certificate is generated by VMCA. You can replace the default STS
signing certificate from the vSphere Web Client. Do not replace the STS signing certificate unless your
company's security policy requires replacing all certificates.
After a user has a SAML token, the SAML token is sent as part of that user's HTTP requests, possibly
through various proxies. Only the intended recipient (service provider) can use the information in the
SAML token.
VMware, Inc. 55
Platform Services Controller Administration
To acquire a SAML token, a user presents the primary credentials to the Secure Token Server (STS). The
primary credentials depend on the type of user:
Other users User name and password available in a vCenter Single Sign-On identity
source.
The STS authenticates the user using the primary credentials, and constructs a SAML token that contains
user attributes. The STS service signs the SAML token with its STS signing certificate, and then assigns
the token to a user. By default, the STS signing certificate is generated by VMCA.
After a user has a SAML token, the SAML token is sent as part of that user's HTTP requests, possibly
through various proxies. Only the intended recipient (service provider) can use the information in the
SAML token.
You can replace the existing STS signing certificate vSphere Web Client if your company policy requires
it, or if you want to update an expired certificate.
Caution Do not replace the file in the filesystem. If you do, errors that are unexpected and difficult to
debug result.
Note After you replace the certificate, you must restart the node to restart both the vSphere Web Client
service and the STS service.
Prerequisites
Copy the certificate that you just added to the java keystore from the Platform Services Controller to your
local workstation.
VMware, Inc. 56
Platform Services Controller Administration
Procedure
1 Log in to the vSphere Web Client as [email protected] or as another user with vCenter
Single Sign-On administrator privileges.
Users with vCenter Single Sign-On administrator privileges are in the Administrators group in the
local vCenter Single Sign-On domain, vsphere.local by default.
3 Select the Certificates tab, then the STS Signing subtab, and click the Add STS Signing
Certificate icon.
a Click Browse to browse to the key store JKS file that contains the new certificate and click Open.
c Click the top of the STS alias chain and click OK.
5 Click OK.
6 Restart the Platform Services Controller node to start both the STS service and the vSphere Web
Client.
Before the restart, authentication does not work correctly so the restart is essential.
Note This certificate is valid for ten years and is not an external-facing certificate. Do not replace this
certificate unless your company's security policy requires it.
See Generate a New STS Signing Certificate on a vCenter Windows Installation if you are running a
Platform Services Controller Windows installation.
VMware, Inc. 57
Platform Services Controller Administration
Procedure
1 Create a top-level directory to hold the new certificate and verify the location of the directory.
mkdir newsts
cd newsts
pwd
#resulting output: /root/newst
cp /usr/lib/vmware-vmca/share/config/certool.cfg /root/newsts
3 Open your copy of the certool.cfg file and edit it to use the local Platform Services Controller IP
address and hostname.
The country is required and has to be two characters, as shown in the following example.
#
# Template file for a CSR request
#
VMware, Inc. 58
Platform Services Controller Administration
8 When prompted, type Yes to accept the certificate into the keystore.
What to do next
You can now import the new certificate. See Refresh the Security Token Service Certificate.
Note This certificate is valid for ten years and is not an external-facing certificate. Do not replace this
certificate unless your company's security policy requires it.
See Generate a New STS Signing Certificate on the Appliance if you are using a virtual appliance.
Procedure
cd C:\ProgramData\VMware\vCenterServer\cfg\sso\keys\
mkdir newsts
cd newsts
2 Make a copy of the certool.cfg file and place it in the new directory.
3 Open your copy of the certool.cfg file and edit it to use the local Platform Services Controller IP
address and hostname.
The country is required and has to be two characters. The following sample illustrates this.
#
# Template file for a CSR request
#
VMware, Inc. 59
Platform Services Controller Administration
Locality = Indianapolis
IPAddress = 10.0.1.32
Email = [email protected]
Hostname = homecenter.exampleinc.local
What to do next
You can now import the new certificate. See Refresh the Security Token Service Certificate.
You see certificate expiration information only if you use an Active Directory LDAP Server or OpenLDAP
Server and specify an ldaps:// URL for the server. The Identity Sources TrustStore tab remains empty
for other types of identity sources or for ldap:// traffic.
Procedure
1 Log in with the vSphere Web Client to the vCenter Server connected to the Platform Services
Controller.
2 Specify the user name and password for [email protected] or another member of the
vCenter Single Sign-On Administrators group.
VMware, Inc. 60
Platform Services Controller Administration
5 View a certificate's details and verify the expiration date in the Valid until field.
You might see a warning at the top of the tab which indicates that a certificate is about to expire.
By default, vCenter Single Sign-On passwords expire after 90 days. The vSphere Client reminds you
when your password is about to expire.
Procedure
1 Log in with the vSphere Client to the vCenter Server connected to the Platform Services Controller.
2 Specify the user name and password for [email protected] or another member of the
vCenter Single Sign-On Administrators group.
Option Description
Maximum lifetime Maximum number of days that a password is valid before the user must change it.
The maximum number of days you can enter is 999999999. A value of zero (0)
means that the password never expires.
Restrict reuse Number of previous passwords that cannot be reused. For example, if you enter 6,
the user cannot reuse any of the last six passwords.
Maximum length Maximum number of characters that are allowed in the password.
VMware, Inc. 61
Platform Services Controller Administration
Option Description
Minimum length Minimum number of characters required in the password. The minimum length
must be no less than the combined minimum of alphabetic, numeric, and special
character requirements.
Character requirements Minimum number of different character types that are required in the password.
You can specify the number of each type of character, as follows:
n Special: & # %
n Alphabetic: A b c D
n Uppercase: A B C
n Lowercase: a b c
n Numeric: 1 2 3
The minimum number of alphabetic characters must be no less than the combined
uppercase and lowercase characters.
Non-ASCII characters are supported in passwords. In earlier versions of vCenter
Single Sign-On, limitations on supported characters exist.
Identical adjacent characters Maximum number of identical adjacent characters that are allowed in the
password. For example, if you enter 1, the following password is not allowed: p@$
$word.
The number must be greater than 0.
6 Click Save.
If a user logs in to vsphere.local multiple times with the wrong password, the user is locked out. The
lockout policy allows administrators to specify the maximum number of failed login attempts, and set the
time interval between failures. The policy also specifies how much time must elapse before the account is
automatically unlocked.
Note The lockout policy applies only to user accounts, not to system accounts such as
[email protected].
Procedure
1 Log in with the vSphere Client to the vCenter Server connected to the Platform Services Controller.
2 Specify the user name and password for [email protected] or another member of the
vCenter Single Sign-On Administrators group.
VMware, Inc. 62
Platform Services Controller Administration
Option Description
Maximum number of failed login Maximum number of failed login attempts that are allowed before the account is
attempts locked.
Time interval between failures Time period in which failed login attempts must occur to trigger a lockout.
Unlock time Amount of time that the account remains locked. If you enter 0, the administrator
must unlock the account explicitly.
6 Click Save.
Procedure
1 Log in with the vSphere Client to the vCenter Server connected to the Platform Services Controller.
2 Specify the user name and password for [email protected] or another member of the
vCenter Single Sign-On Administrators group.
Option Description
Clock Tolerance Time difference, in milliseconds, that vCenter Single Sign-On tolerates between a
client clock and the domain controller clock. If the time difference is greater than
the specified value, vCenter Single Sign-On declares the token invalid.
Maximum Token Renewal Count Maximum number of times that a token can be renewed. After the maximum
number of renewal attempts, a new security token is required.
Maximum Token Delegation Count Holder-of-key tokens can be delegated to services in the vSphere environment. A
service that uses a delegated token performs the service on behalf of the principal
that provided the token. A token request specifies a DelegateTo identity. The
DelegateTo value can either be a solution token or a reference to a solution token.
This value specifies how many times a single holder-of-key token can be
delegated.
VMware, Inc. 63
Platform Services Controller Administration
Option Description
Maximum Bearer Token Lifetime Bearer tokens provide authentication based only on possession of the token.
Bearer tokens are intended for short-term, single-operation use. A bearer token
does not verify the identity of the user or entity that is sending the request. This
value specifies the lifetime value of a bearer token before the token has to be
reissued.
Maximum Holder-of-Key Token Holder-of-key tokens provide authentication based on security artifacts that are
Lifetime embedded in the token. Holder-of-key tokens can be used for delegation. A client
can obtain a holder-of-key token and delegate that token to another entity. The
token contains the claims to identify the originator and the delegate. In the vSphere
environment, a vCenter Server system obtains delegated tokens on a user's behalf
and uses those tokens to perform operations.
This value determines the lifetime of a holder-of-key token before the token is
marked invalid.
6 Click Save.
Procedure
OS Command
cd /etc/vmware/vsphere-ui
cd /etc/vmware/vsphere-client
cd %ALLUSERSPROFILE%\VMware\vCenterServer\cfg\vsphere-ui
cd %ALLUSERSPROFILE%\VMware\vCenterServer\cfg\vsphere-client
VMware, Inc. 64
Platform Services Controller Administration
sso.pending.password.expiration.notification.days = 30
OS Command
The vCenter Single Sign-On administrator user can perform the following tasks.
VMware, Inc. 65
Platform Services Controller Administration
You can select other domains and view information about the users in those domains, but you cannot add
users to other domains from a vCenter Single Sign-On management interface.
Procedure
1 Log in with the vSphere Client to the vCenter Server connected to the Platform Services Controller.
2 Specify the user name and password for [email protected] or another member of the
vCenter Single Sign-On Administrators group.
VMware, Inc. 66
Platform Services Controller Administration
4 If vsphere.local is not the currently selected domain, select it from the drop-down menu.
You cannot change the user name after you create a user. The password must meet the password
policy requirements for the system.
7 (Optional) Enter the first name and last name of the new user.
9 Click Add.
When you add a user, that user initially has no privileges to perform management operations.
What to do next
Add the user to a group in the vsphere.local domain, for example, to the group of users who can
administer VMCA (CAAdmins) or to the group of users who can administer vCenter Single Sign-On
(Administrators). See Add Members to a vCenter Single Sign-On Group.
Disabled user accounts remain available in the vCenter Single Sign-On system, but the user cannot log in
or perform operations on the server. Users with administrator privileges can disable and enable accounts
from the vCenter Users and Groups page.
Prerequisites
You must be a member of the vCenter Single Sign-On Administrators group to disable and enable
vCenter Single Sign-On users.
Procedure
1 Log in with the vSphere Client to the vCenter Server connected to the Platform Services Controller.
2 Specify the user name and password for [email protected] or another member of the
vCenter Single Sign-On Administrators group.
4 Select a user name, click the vertical ellipsis icon, and click Disable.
VMware, Inc. 67
Platform Services Controller Administration
5 Click OK.
6 To enable the user again, click the vertical ellipsis icon, click Enable, and click OK.
Caution If you delete the administrator user in the vsphere.local domain, you can no longer log in to
vCenter Single Sign-On. Reinstall vCenter Server and its components.
Procedure
1 Log in with the vSphere Client to the vCenter Server connected to the Platform Services Controller.
2 Specify the user name and password for [email protected] or another member of the
vCenter Single Sign-On Administrators group.
4 Select Users, and select the vsphere.local domain from the drop-down menu.
5 In the list of users, select the user that you want to delete and click the vertical ellipsis icon.
6 Click Delete.
You can create additional users with the same privileges as [email protected].
vCenter Single Sign-On users are stored in the vCenter Single Sign-On vsphere.local domain.
You can review the vCenter Single Sign-On password policies from the vSphere Client. Log in as
[email protected] and from the Administration menu, select Configuration > Policies >
Password Policy.
Procedure
1 Log in with the vSphere Client to the vCenter Server connected to the Platform Services Controller.
VMware, Inc. 68
Platform Services Controller Administration
2 Specify the user name and password for [email protected] or another member of the
vCenter Single Sign-On Administrators group.
4 Click Users.
The password must meet the password policy requirements for the system.
7 Click OK.
You cannot add groups to other domains, for example, the Active Directory domain, from the vCenter
Single Sign-On Groups tab.
If you do not add an identity source to vCenter Single Sign-On, creating groups and adding users can
help you organize the local domain.
Procedure
1 Log in with the vSphere Client to the vCenter Server connected to the Platform Services Controller.
2 Specify the user name and password for [email protected] or another member of the
vCenter Single Sign-On Administrators group.
You cannot change the group name after you create the group.
6 Click Add.
VMware, Inc. 69
Platform Services Controller Administration
What to do next
See the VMware knowledge base article at http://kb.vmware.com/kb/2095342 for background information.
Groups listed on the Groups tab in the Web interface are part of the vsphere.local domain. See Groups in
the vCenter Single Sign-On Domain.
Procedure
1 Log in with the vSphere Client to the vCenter Server connected to the Platform Services Controller.
2 Specify the user name and password for [email protected] or another member of the
vCenter Single Sign-On Administrators group.
6 Select the identity source that contains the member to add to the group.
9 Click OK.
Procedure
1 Log in with the vSphere Client to the vCenter Server connected to the Platform Services Controller.
2 Specify the user name and password for [email protected] or another member of the
vCenter Single Sign-On Administrators group.
VMware, Inc. 70
Platform Services Controller Administration
5 In the list of group members, select the user or group that you want to remove and click the vertical
ellipsis icon.
7 Click Remove.
The user is removed from the group, but is still available in the system.
When you remove the set of services associated with a vCenter Server solution user or a third-party
solution user from your environment, the solution user is removed from the vSphere Web Client display. If
you forcefully remove an application, or if the system becomes unrecoverable while the solution user is
still in the system, you can remove the solution user explicitly from the vSphere Web Client.
Important If you delete a solution user, the corresponding services can no longer authenticate to
vCenter Single Sign-On.
Procedure
1 Log in with the vSphere Web Client to the vCenter Server connected to the Platform Services
Controller.
2 Specify the user name and password for [email protected] or another member of the
vCenter Single Sign-On Administrators group.
4 Click the Solution Users tab, and click the solution user name.
6 Click Yes.
The services associated with the solution user no longer have access to vCenter Server and cannot
function as vCenter Server services.
VMware, Inc. 71
Platform Services Controller Administration
The vCenter Single Sign-On lockout policy determines when your password expires. By default, vCenter
Single Sign-On user passwords expire after 90 days, but administrator passwords such as the password
for [email protected] do not expire. vCenter Single Sign-On management interfaces show a
warning when your password is about to expire.
If the password is expired, the administrator of the local domain, [email protected] by default,
can reset the password by using the dir-cli password reset command. Only members of the
Administrator group for the vCenter Single Sign-On domain can reset passwords.
Procedure
1 Log in with the vSphere Client to the vCenter Server connected to the Platform Services Controller.
2 Specify the user name and password for [email protected] or another member of the
vCenter Single Sign-On Administrators group.
3 In the upper navigation pane, to the right of the Help menu, click your user name to pull down the
menu.
As an alternative, you can select Single Sign On > Users and Groups and select Edit User from
the vertical ellipsis menu.
6 Click OK.
VMware, Inc. 72
Platform Services Controller Administration
The vSphere authentication infrastructure enhances security in your vSphere environment. To make sure
that infrastructure is not compromised, follow vCenter Single Sign-On best practices.
Check password The default vCenter Single Sign-On password policy has a password
expiration lifetime of 90 days. After 90 days, the password expires and you can no
longer log in. Check the expiration and refresh passwords in a timely
fashion.
Configure NTP Ensure that all systems use the same relative time source (including the
relevant localization offset), and that the relative time source can be
correlated to an agreed-upon time standard (such as Coordinated Universal
Time—UTC). Synchronized systems are essential for vCenter Single Sign-
On certificate validity, and for the validity of other vSphere certificates.
NTP also makes it easier to track an intruder in log files. Incorrect time
settings can make it difficult to inspect and correlate log files to detect
attacks, and can make auditing inaccurate.
VMware, Inc. 73
vSphere Security Certificates 3
vSphere provides security by using certificates to encrypt communications, authenticate services, and
sign tokens.
n Encrypt communications between two nodes, such as vCenter Server and an ESXi host.
vSphere's internal certificate authority, VMware Certificate Authority (VMCA), provides all the certificates
necessary for vCenter Server and ESXi. VMCA is installed on every Platform Services Controller,
immediately securing the solution without any other modification. Keeping this default configuration
provides the lowest operational overhead for certificate management. vSphere provides a mechanism to
renew these certificates in the event they expire.
vSphere also provides a mechanism to replace certain certificates with your own certificates. However,
replace only the SSL certificate that provides encryption between nodes, to keep your certificate
management overhead low.
VMCA Default Certificates VMCA provides all the certificates Simplest and lowest overhead. VMCA can manage the
for vCenter Server and ESXi certificate lifecycle for vCenter Server and ESXi hosts.
hosts.
VMCA Default Certificates with You replace the Platform Services Simple and secure. VMCA manages internal
External SSL Certificates (Hybrid Controller and vCenter Server certificates but you get the benefit of using your
Mode) Appliance SSL certificates, and corporate-approved SSL certificates, and having those
allow VMCA to manage certificates trusted by your browsers.
certificates for solution users and
ESXi hosts. Optionally, for high-
security conscious deployments,
you can replace the ESXi host
SSL certificates as well.
VMware, Inc. 74
Platform Services Controller Administration
VMware does not recommend replacing either solution user certificates or STS certificates, nor using a
subordinate CA in place of the VMCA. If you choose either of these options, you might encounter
significant complexity and the potential for a negative impact to your security, and an unnecessary
increase in your operational risk. For more information about managing certificates within a vSphere
environment, see the blog post titled New Product Walkthrough - Hybrid vSphere SSL Certificate
Replacement at http://vmware.com/go/hybridvmca.
You can use the following options to replace the existing certificates:
Use the vSphere Client. Starting with vSphere 6.7, the Platform Managing Certificates with the vSphere Client
Services Controller is managed through the vSphere Client.
Use the vSphere Certificate Manager utility from the command Managing Certificates with the vSphere Certificate Manager
line. Utility
Use CLI commands for manual certificate replacement. Chapter 4 Managing Services and Certificates with CLI
Commands
Before you begin, ensure that all nodes in your environment are time synchronized.
n PEM format. VMware supports PKCS8 and PKCS1 (RSA keys). When you add keys to VECS, they
are converted to PKCS8.
n x509 version 3
VMware, Inc. 75
Platform Services Controller Administration
n CRT format
If you do not generate CSRs using Certificate Manager, ensure that the CSR includes the following fields.
CN commonName
L localityName
ST stateOrProvinceName
O organizationName
OU organizationalUnitName
C countryName
STREET streetAddress
DC domainComponent
UID userid
If you generate CSRs using Certificate Manager, you are prompted for the following information, and
Certificate Manager adds the corresponding fields to the CSR file.
n The password of the [email protected] user, or for the administrator of the vCenter Single
Sign-On domain that you are connecting to.
n If you are generating a CSR in an environment with an external Platform Services Controller, you are
prompted for the host name or IP address of the Platform Services Controller.
n Information that Certificate Manager stores in the certool.cfg file. For most fields, you can accept
the default or provide site-specific values. The FQDN of the machine is required.
n Company name
VMware, Inc. 76
Platform Services Controller Administration
n Organization name
n Organization unit
n State
n Locality
n IP address (optional)
n Email
n Host name, that is, the fully qualified domain name of the machine for which you want to replace
the certificate. If the host name does not match the FQDN, certificate replacement does not
complete correctly and your environment might end up in an unstable state.
n IP address of Platform Services Controller if you are running the command on a vCenter Server
(management) node.
VMware, Inc. 77
Platform Services Controller Administration
Root certificate n You can use vSphere Certificate Manager to create the
CSR. See Generate CSR with vSphere Certificate Manager
and Prepare Root Certificate (Intermediate CA).
n If you prefer to create the CSR manually, the certificate that
you send to be signed must meet the following
requirements.
Machine SSL certificate You can use the vSphere Certificate Manager to create the CSR
or create the CSR manually.
If you create the CSR manually, it must meet the requirements
listed previously under Requirements for All Imported
Certificates. You also have to specify the FQDN for the host.
Solution user certificate You can use vSphere Certificate Manager to create the CSR or
create the CSR manually.
Note You must use a different value for Name for each solution
user. If you generate the certificate manually, this might show up
as CN under Subject, depending on the tool you use.
If you use vSphere Certificate Manager, the tool prompts you for
certificate information for each solution user. vSphere Certificate
Manager stores the information in certool.cfg. See
Information that Certificate Manager Prompts For.
VMware, Inc. 78
Platform Services Controller Administration
Machine SSL certificate The machine SSL certificate on each node must have a
separate certificate from your third-party or enterprise CA.
n You can generate the CSR using the vSphere Client or
vSphere Certificate Manager, or create the CSR manually.
The CSR must meet the requirements listed previously
under Requirements for All Imported Certificates.
n If you use vSphere Certificate Manager, the tool prompts
you for certificate information for each solution user.
vSphere Certificate Manager stores the information in
certool.cfg. See Information that Certificate Manager
Prompts For.
n For most fields, you can accept the default or provide site-
specific values. The FQDN of the machine is required.
Solution user certificate Each solution user on each node must have a separate
certificate from your third-party or enterprise CA.
n You can generate the CSRs using vSphere Certificate
Manager or prepare the CSR yourself. The CSR must meet
the requirements listed previously under Requirements for
All Imported Certificates.
n If you use vSphere Certificate Manager, the tool prompts
you for certificate information for each solution user.
vSphere Certificate Manager stores the information in
certool.cfg. See Information that Certificate Manager
Prompts For.
Note You must use a different value for Name for each
solution user. A manually generated certificate might show
up as CN under Subject, depending on the tool you use.
When later you replace solution user certificates with custom
certificates, provide the complete signing certificate chain of the
third-party CA.
Note Do not use CRL Distribution Points, Authority Information Access, or Certificate Template
Information in any custom certificates.
VMware, Inc. 79
Platform Services Controller Administration
If you do not currently replace VMware certificates, your environment starts using VMCA-signed
certificates instead of self-signed certificates.
n Have the VMCA root certificate signed by a third-party CA or enterprise CA. Replace the VMCA root
certificate with that signed certificate. In this scenario, the VMCA certificate is an intermediate
certificate. VMCA provisions vCenter Server components and ESXi hosts with certificates that include
the full certificate chain.
n If your company policy does not allow intermediate certificates in the chain, you can replace
certificates explicitly. You can use the vSphere Client, vSphere Certificate Manager utility, or perform
manual certificate replacement using the certificate management CLIs.
When upgrading an environment that uses custom certificates, you can retain some of the certificates.
n ESXi hosts keep their custom certificates during upgrade. Make sure that the vCenter Server upgrade
process adds all the relevant root certificates to the TRUSTED_ROOTS store in VECS on the
vCenter Server.
After the upgrade to vSphere 6.0 or later, you can set the certificate mode to Custom. If the certificate
mode is VMCA, the default, and the user performs a certificate refresh from the vSphere Client, the
VMCA-signed certificates replace the custom certificates.
n For vCenter Server components, what happens depends on the existing environment.
n For an upgrade of a multi-site deployment, vCenter Single Sign-On can be on a different machine
than other vCenter Server components. In that case, the upgrade process creates a multi-node
deployment that includes a Platform Services Controller node and one or more management
nodes.
This scenario retains the existing vCenter Server and vCenter Single Sign-On certificates. The
certificates are used as machine SSL certificates.
In addition, VMCA assigns a VMCA-signed certificate to each solution user (collection of vCenter
services). The solution user uses this certificate only to authenticate to vCenter Single Sign-On.
Replacing solution user certificates is often not required by a company policy.
You can no longer use the vSphere 5.5 certificate replacement tool, which was available for vSphere
5.5 installations. The new architecture results in a different service distribution and placement. A new
command-line utility, vSphere Certificate Manager, is available for most certificate management tasks.
VMware, Inc. 80
Platform Services Controller Administration
vSphere Certificate Manager utility Perform common certificate replacement tasks from the
command line of the vCenter Server installation.
Certificate management CLIs Perform all certificate management tasks with dir-cli,
certool, and vecs-cli.
For ESXi, you perform certificate management from the vSphere Client. VMCA provisions certificates and
stores them locally on the ESXi host. VMCA does not store ESXi host certificates in VMDIR or in VECS.
See the vSphere Security documentation.
n Certificates that are generated and signed by VMware Certificate Authority (VMCA).
n Custom certificates.
n Enterprise certificates that are generated from your own internal PKI.
n Third-party CA-signed certificates that are generated by an external PKI such as Verisign,
GoDaddy, and so on.
Self-signed certificates that were created using OpenSSL in which no Root CA exists are not supported.
VMCA is included in each Platform Services Controller and in each embedded deployment. VMCA
provisions each node, each vCenter Server solution user, and each ESXi host with a certificate that is
signed by VMCA as the certificate authority. vCenter Server solution users are groups of vCenter Server
services.
You can replace the default certificates. For vCenter Server components, you can use a set of command-
line tools included in your installation. You have several options.
VMware, Inc. 81
Platform Services Controller Administration
VMCA
Signed
CA-Cert
Machine-Cert
VECS
For manual certificate replacement, see Replace Existing VMCA-Signed Certificates With New VMCA-
Signed Certificates.
Note If you perform a fresh install that includes an external Platform Services Controller, install the
Platform Services Controller first and replace the VMCA root certificate. Next, install other services or add
ESXi hosts to your environment. If you perform a fresh install with an embedded Platform Services
Controller, replace the VMCA root certificate before you add ESXi hosts. If you do, VMCA signs the whole
chain, and you do not have to generate new certificates.
VMware, Inc. 82
Platform Services Controller Administration
Machine-Cert
VECS
n Replace VMCA Root Certificate with Custom Signing Certificate and Replace All Certificates
For manual certificate replacement, see Use VMCA as an Intermediate Certificate Authority.
VMware, Inc. 83
Platform Services Controller Administration
VMware vSphere
VMCA
Signed
External CA Unused
(Commercial or
Enterprise)
Machine-Cert
VECS
For manual certificate replacement, see Use Custom Certificates With vSphere.
You can also use the vSphere Client to generate a CSR for a machine SSL certificate (custom), and
replace the certificate after the CA returns it. See Generate Certificate Signing Request for Machine SSL
Certificate Using the vSphere Client (Custom Certificates).
Hybrid Deployment
You can have VMCA supply some of the certificates, but use custom certificates for other parts of your
infrastructure. For example, because solution user certificates are used only to authenticate to vCenter
Single Sign-On, consider having VMCA provision those certificates. Replace the machine SSL certificates
with custom certificates to secure all SSL traffic.
Company policy often does not allow intermediate CAs. For those cases, hybrid deployment is a good
solution. It minimizes the number of certificates to replace, and secures all traffic. The hybrid deployment
leaves only internal traffic, that is, solution user traffic, to use the default VMCA-signed certificates.
VMware, Inc. 84
Platform Services Controller Administration
VMware Certificate Authority mode (default) When you renew certificates from the vSphere Client, VMCA
issues the certificates for the hosts. If you changed the VMCA
root certificate to include a certificate chain, the host certificates
include the full chain.
Custom Certificate Authority mode Allows you to manually update and use certificates that are not
signed or issued by VMCA.
Thumbprint mode Can be used to retain 5.5 certificates during refresh. Use this
mode only temporarily in debugging situations.
vCenter Single Sign-On SSL Provisioned during installation. Manage this certificate from the vSphere Web Client.
signing certificate
Note Do not change this certificate in the filesystem
or unpredictable behavior results.
VMware Directory Service (VMDIR) Provisioned during installation. Starting with vSphere 6.5, the machine SSL certificate
SSL certificate is used as the vmdir certificate.
ESXi
ESXi certificates are stored locally on each host in the /etc/vmware/ssl directory. ESXi certificates are
provisioned by VMCA by default, but you can use custom certificates instead. ESXi certificates are
provisioned when the host is first added to vCenter Server and when the host reconnects.
Each node has its own machine SSL certificate. Nodes include vCenter Server instance, Platform
Services Controller instance, or embedded deployment instance. All services that are running on a node
use the machine SSL certificate to expose their SSL endpoints.
VMware, Inc. 85
Platform Services Controller Administration
n The reverse proxy service on each Platform Services Controller node. SSL connections to individual
vCenter services always go to the reverse proxy. Traffic does not go to the services themselves.
n The VMware Directory Service (vmdir) on infrastructure nodes and embedded nodes.
VMware products use standard X.509 version 3 (X.509v3) certificates to encrypt session information.
Session information is sent over SSL between components.
A solution user presents the certificate to vCenter Single Sign-On when it first has to authenticate, after a
reboot, and after a timeout has elapsed. The timeout (Holder-of-Key Timeout) can be set from the
vSphere Web Client and defaults to 2592000 seconds (30 days).
For example, the vpxd solution user presents its certificate to vCenter Single Sign-On when it connects to
vCenter Single Sign-On. The vpxd solution user receives a SAML token from vCenter Single Sign-On and
can then use that token to authenticate to other solution users and services.
The following solution user certificate stores are included in VECS on each management node and each
embedded deployment:
Note The machine solution user certificate has nothing to do with the machine SSL certificate. The
machine solution user certificate is used for the SAML token exchange. The machine SSL certificate
is used for secure SSL connections for a machine.
n vpxd: vCenter service daemon (vpxd) store on management nodes and embedded deployments.
vpxd uses the solution user certificate that is stored in this store to authenticate to vCenter Single
Sign-On.
n vpxd-extension: vCenter extensions store. Includes the Auto Deploy service, inventory service, and
other services that are not part of other solution users.
n vsphere-webclient: vSphere Web Client store. Also includes some additional services such as the
performance chart service.
VMware, Inc. 86
Platform Services Controller Administration
Internal Certificates
vCenter Single Sign-On certificates are not stored in VECS and are not managed with certificate
management tools. As a rule, changes are not necessary, but in special situations, you can replace these
certificates.
vCenter Single Sign-On The vCenter Single Sign-On service includes an identity provider service
Signing Certificate which issues SAML tokens that are used for authentication throughout
vSphere. A SAML token represents the user's identity, and also contains
group membership information. When vCenter Single Sign-On issues
SAML tokens, it signs each token with its signing certificate so that clients
of vCenter Single Sign-On can verify that the SAML token comes from a
trusted source.
vCenter Single Sign-On issues holder-of-key SAML tokens to solution
users and bearer tokens other users, which log in with a user name and
password.
You can replace this certificate from the vSphere Web Client. See Refresh
the Security Token Service Certificate.
VMware Directory Starting with vSphere 6.5, the machine SSL certificate is used as the
Service SSL Certificate VMware directory certificate. For earlier versions of vSphere, see the
corresponding documentation.
vSphere Virtual The vSphere Virtual Machine Encryption solution connects with an external
Machine Encryption Key Management Server (KMS). Depending on how the solution
Certificates authenticates to the KMS, it might generate certificates and store them in
VECS. See the vSphere Security documentation.
VMware, Inc. 87
Platform Services Controller Administration
VMware Directory Service (vmdir) Handles SAML certificate management for Platform Services Controller
authentication with vCenter Single Sign-On. Embedded deployment
VMware Certificate Authority Issues certificates for VMware solution users, Platform Services Controller
(VMCA) machine certificates for machines on which services Embedded deployment
are running, and ESXi host certificates. VMCA can be
used as is, or as an intermediary certificate authority.
VMCA issues certificates only to clients that can
authenticate to vCenter Single Sign-On in the same
domain.
VMware Authentication Framework Includes the VMware Endpoint Certificate Store Platform Services Controller
Daemon (VMAFD) (VECS) and several other authentication services. vCenter Server
VMware administrators interact with VECS. The other Embedded deployment
services are used internally.
VECS runs as part of the VMware Authentication Framework Daemon (VMAFD). VECS runs on every
embedded deployment, Platform Services Controller node, and management node, and holds the
keystores that contain the certificates and keys.
VECS polls VMware Directory Service (vmdir) periodically for updates to the trusted root store. You can
also explicitly manage certificates and keys in VECS using vecs-cli commands. See vecs-cli Command
Reference.
Machine SSL store (MACHINE_SSL_CERT) n Used by the reverse proxy service on every vSphere node.
n Used by the VMware Directory Service (vmdir) on
embedded deployments and on each Platform Services
Controller node.
All services in vSphere 6.0 and later communicate through a
reverse proxy, which uses the machine SSL certificate. For
backward compatibility, the 5.x services still use specific ports.
As a result, some services such as vpxd still have their own port
open.
VMware, Inc. 88
Platform Services Controller Administration
Solution user stores VECS includes one store for each solution user. The subject of
n machine each solution user certificate must be unique, for example, the
machine certificate cannot have the same subject as the vpxd
n vpxd
certificate.
n vpxd-extension
Solution user certificates are used for authentication with
n vsphere-webclient
vCenter Single Sign-On. vCenter Single Sign-On checks that the
certificate is valid, but does not check other certificate attributes.
In an embedded deployment, all solution user certificates are on
the same system.
The following solution user certificate stores are included in
VECS on each management node and each embedded
deployment:
n machine: Used by the license server and the logging service.
vSphere Certificate Manager Utility backup store Used by VMCA (VMware Certificate Manager) to support
(BACKUP_STORE) certificate revert. Only the most recent state is stored as a
backup, you cannot go back more than one step.
Other stores Other stores might be added by solutions. For example, the
Virtual Volumes solution adds an SMS store. Do not modify the
certificates in those stores unless VMware documentation or a
VMware Knowledge Base article instructs you to do so.
The vCenter Single Sign-On service stores the token signing certificate and its SSL certificate on disk.
You can change the token signing certificate from the vSphere Client.
VMware, Inc. 89
Platform Services Controller Administration
Some certificates are stored on the file system, either temporarily during startup or permanently. Do not
change the certificates on the file system. Use vecs-cli to perform operations on certificates that are
stored in VECS.
Note Do not change any certificate files on disk unless instructed by VMware documentation or
Knowledge Base Articles. Unpredictable behavior might result otherwise.
vSphere 6.0 supports replacing certificates but does not enforce certificate revocation for ESXi hosts or
for vCenter Server systems.
Remove revoked certificates from all nodes. If you do not remove revoked certificates, a man-in-the-
middle attack might enable compromise through impersonation with the account's credentials.
VMware, Inc. 90
Platform Services Controller Administration
vSphere Certificate You run vSphere Certificate Manager on each machine. On management
Manager nodes, you are prompted for the IP address of the Platform Services
Controller. Depending on the task you perform, you are also prompted for
certificate information.
Manual Certificate For manual certificate replacement, you run the certificate replacement
Replacement commands on each machine. On management nodes, you must specify the
Platform Services Controller with the --server parameter. See the
following topics for details:
Note When you list solution user certificates in large deployments, the output of dir-cli list includes
all solution users from all nodes. Run vmafd-cli get-machine-id --server-name localhost to find
the local machine ID for each host. Each solution user name includes the machine ID.
vSphere Certificate You run vSphere Certificate Manager on each machine. On management
Manager nodes, you are prompted for the IP address of the Platform Services
Controller. Depending on the task you perform, you are also prompted for
certificate information.
Manual Certificate 1 Generate or request a certificate. You need the following certificates:
Replacement
n A certificate for the machine solution user on the Platform Services
Controller.
VMware, Inc. 91
Platform Services Controller Administration
You can run the ls_update_certs script to resolve the issue. See the VMware knowledge base article at
http://kb.vmware.com/kb/2109074 for details.
n Generate a custom Certificate Signing Request (CSR) for a machine SSL certificate and replace the
certificate when the Certificate Authority returns it.
Most parts of the certificate replacement workflows are supported fully from the vSphere Client. For
generating CSRs for machine SSL certificates, you can use either the vSphere Client or the Certificate
Manage utility.
VMware, Inc. 92
Platform Services Controller Administration
Supported Workflows
After you install a Platform Services Controller, the VMware Certificate Authority on that node provisions
all other nodes in the environment with certificates by default. See Chapter 3 vSphere Security
Certificates for recommendations on the current recommendations for managing certificates.
You can use one of the following workflows to renew or replace certificates.
Renew Certificates You can have VMCA renew SSL and solution user certificates in your
environment from the vSphere Client.
Make VMCA an You can generate a CSR using the vSphere Certificate Manager utility. You
Intermediate CA can then edit the certificate you receive from the CSR to add VMCA to the
chain, and then add the certificate chain and private key to your
environment. When you then renew all certificates, VMCA provisions all
machines and solution users with certificates that the full chain has signed.
Replace Certificates If you do not want to use VMCA, you can generate CSRs for the certificates
with Custom that you want to replace. The CA returns a root certificate and a signed
Certificates certificate for each CSR. You can upload the root certificate and the custom
certificates from the Platform Services Controller.
Note If you use VMCA as an intermediate CA, or use custom certificates, you might encounter
significant complexity and the potential for a negative impact to your security, and an unnecessary
increase in your operational risk. For more information about managing certificates within a vSphere
environment, see the blog post titled New Product Walkthrough - Hybrid vSphere SSL Certificate
Replacement at http://vmware.com/go/hybridvmca.
In a mixed-mode environment, you can use CLI commands to replace the vCenter Single Sign-On
certificate after replacing the other certificates. See Replace the VMware Directory Service Certificate in
Mixed Mode Environments.
See VMware Endpoint Certificate Store Overview for details on the different stores inside VECS.
Prerequisites
For most management tasks, you must have the password for the administrator for the local domain
account, [email protected] or a different domain if you changed the domain during installation.
Procedure
1 Log in with the vSphere Client to the vCenter Server connected to the Platform Services Controller.
VMware, Inc. 93
Platform Services Controller Administration
2 Specify the user name and password for [email protected] or another member of the
vCenter Single Sign-On Administrators group.
5 Explore the certificates stored inside the VMware Endpoint Certificate Store (VECS).
VMware Endpoint Certificate Store Overview explains what is in the individual stores.
6 To view details for a certificate, select the certificate and click View Details.
For example, if you replace the existing certificate, you can later remove the old root certificate.
Remove certificates only if you are sure that they are no longer in use.
Procedure
5 Change the setting of vpxd.cert.threshold to the desired value and click Save.
Prerequisites
For certificate management, you have to supply the password of the administrator of the local domain
([email protected] by default). If you are renewing certificates for a vCenter Server system,
you also have to supply the vCenter Single Sign-On credentials for a user with administrator privileges on
the vCenter Server system.
VMware, Inc. 94
Platform Services Controller Administration
Procedure
1 Log in with the vSphere Client to the vCenter Server connected to the Platform Services Controller.
2 Specify the user name and password for [email protected] or another member of the
vCenter Single Sign-On Administrators group.
c Click Renew.
6 (Optional) Renew the Solution User certificates for the local system.
b Click Actions > Renew to renew individual selected certificates, or click Renew All to renew all
solution user certificates.
7 If your environment includes an external Platform Services Controller, you can then renew the
certificates for each vCenter Server system.
b When prompted, specify the IP address or FQDN of the vCenter Server system and user name
and password of a vCenter Server administrator who can authenticate to vCenter Single Sign-On.
c Renew the machine SSL certificate on the vCenter Server and, optionally, each solution user
certificate.
d If you have multiple vCenter Server systems in your environment, repeat the process for each
system.
VMware, Inc. 95
Platform Services Controller Administration
What to do next
Restart services on the Platform Services Controller. You can either restart the Platform Services
Controller, or run the following commands from the command line:
vCenter Server
service-control --stop --all
Appliance service-control --start vmafdd
service-control --start vmdird
service-control --start vmcad
You can generate Certificate Signing Requests (CSRs) for each machine and for each solution user using
the Certificate Manager utility. You can also generate CSRs for each machine, and replace certificates
when you receive them from the third-party CA, using the vSphere Client. When you submit the CSRs to
your internal or third-party CA, the CA returns signed certificates and the root certificate. You can upload
both the root certificate and the signed certificates from the Platform Services Controller UI.
Generate Certificate Signing Request for Machine SSL Certificate Using the
vSphere Client (Custom Certificates)
The machine SSL certificate is used by the reverse proxy service on every management node, Platform
Services Controller, and embedded deployment. Each machine must have a machine SSL certificate for
secure communication with other services. You can use the vSphere Client to generate a Certificate
Signing Request (CSR) for the machine SSL certificate and to replace the certificate once it is ready.
Prerequisites
n CRT format
n x509 version 3
VMware, Inc. 96
Platform Services Controller Administration
n Contains the following Key Usages: Digital Signature, Non-Repudiation, Key Encipherment
Note Do not use CRL Distribution Points, Authority Information Access, or Certificate Template
Information in any custom certificates.
Generating a CSR for the machine SSL certificate is supported only on the vCenter Server Appliance. It is
not supported on a Windows installation of vCenter Server.
Procedure
1 Log in with the vSphere Client to the vCenter Server connected to the Platform Services Controller.
2 Specify the user name and password for [email protected] or another member of the
vCenter Single Sign-On Administrators group.
a Under Machine SSL Certificate, for the certificate you want to replace, click Actions >
Generate Certificate Signing Request (CSR).
d Click Finish.
What to do next
When the Certificate Authority returns the certificate, replace the existing certificate in the certificate store.
See Add Custom Certificates from the Platform Services Controller.
VMware, Inc. 97
Platform Services Controller Administration
You can run the Certificate Manager tool from the command line as follows:
Windows
C:\Program Files\VMware\vCenter Server\vmcad\certificate-manager.bat
Linux
/usr/lib/vmware-vmca/bin/certificate-manager
Prerequisites
vSphere Certificate Manager prompts you for information. The prompts depend on your environment and
on the type of certificate you want to replace.
n For any CSR generation, you are prompted for the password of the [email protected]
user, or for the administrator of the vCenter Single Sign-On domain that you are connecting to.
n If you are generating a CSR in an environment with an external Platform Services Controller, you are
prompted for the host name or IP address of the Platform Services Controller.
n To generate a CSR for a machine SSL certificate, you are prompted for certificate properties, which
are stored in the certool.cfg file. For most fields, you can accept the default or provide site-specific
values. The FQDN of the machine is required.
Procedure
1 On each machine in your environment, start vSphere Certificate Manager and select option 1.
2 Supply the password and the Platform Services Controller IP address or host name if prompted.
3 Select option 1 to generate the CSR, answer the prompts and exit Certificate Manager.
As part of the process, you have to provide a directory. Certificate Manager places the certificate and
key files in the directory.
4 If you also want to replace all solution user certificates, restart Certificate Manager.
5 Select option 5.
6 Supply the password and the Platform Services Controller IP address or host name if prompted.
7 Select option 1 to generate the CSRs, answer the prompts and exit Certificate Manager.
As part of the process, you have to provide a directory. Certificate Manager places the certificate and
key files in the directory.
On each Platform Services Controller node, Certificate Manager generates one certificate and key
pair. On each vCenter Server node, Certificate Manager generates four certificate and key pairs.
What to do next
VMware, Inc. 98
Platform Services Controller Administration
Prerequisites
Obtain the custom root certificate from your third-party or in-house CA.
Procedure
1 Log in with the vSphere Client to the vCenter Server connected to the Platform Services Controller.
2 Specify the user name and password for [email protected] or another member of the
vCenter Single Sign-On Administrators group.
7 Click Add.
What to do next
Replace the Machine SSL certificates and, optionally, the solution user certificates with certificates that
are signed by this CA.
In most cases, replacing the machine SSL certificate for each component is sufficient. The solution user
certificate remains behind a proxy.
Prerequisites
Generate certificate signing requests (CSRs) for each certificate that you want to replace. You can
generate the CSRs with the Certificate Manager utility. You can also generate a CSR for a machine SSL
certificate using the vSphere Client. Place the certificate and private key in a location that the Platform
Services Controller can access.
Procedure
1 Log in with the vSphere Client to the vCenter Server connected to the Platform Services Controller.
VMware, Inc. 99
Platform Services Controller Administration
2 Specify the user name and password for [email protected] or another member of the
vCenter Single Sign-On Administrators group.
a Under Machine SSL Certificate, for the certificate that you want to replace, click Actions >
Replace.
b Browse for the machine SSL certificate (.cer, .pem, or .crt file) and the private key (.key file).
c Click Replace.
a Under Solution Certificates, for the first of the certificates for a component, for example,
machine, click Actions > Replace.
b Click Browse to replace the certificate chain, then click Browse to replace the private key.
c Click Replace.
d Repeat the process for the other certificates for the same component.
What to do next
Restart services on the Platform Services Controller. You can either restart the Platform Services
Controller, or run the following commands from the command line:
vCenter Server
service-control --stop --all
Appliance service-control --start vmafdd
service-control --start vmdird
service-control --start vmcad
You view certificates associated with the VMCA instance that is included with your embedded deployment
or with the Platform Services Controller. Certificate information is replicated across instances of VMware
Directory Service (vmdir).
When you attempt to view certificates in the vSphere Web Client, you are prompted for a user name and
password. Specify the user name and password of a user with privileges for VMware Certificate Authority,
that is, a user in the CAAdmins vCenter Single Sign-On group.
Procedure
1 Log in with the vSphere Web Client to vCenter Server as [email protected] or another
user of the CAAdmins vCenter Single Sign-On group.
6 Click the certificate type for which you want to view certificate information.
Option Description
Active Certificates Displays active certificates, including their validation information. The green Valid
To icon changes when certificate expiration is approaching.
Revoked Certificates Displays the list of revoked certificates. Not supported in this release.
Root Certificates Displays the root certificates available to this instance of vCenter Certificate
Authority.
7 Select a certificate and click the Show Certificate Details button to view certificate details.
If you use vSphere Certificate Manager, you are not responsible for placing the certificates in VECS
(VMware Endpoint Certificate Store) and you are not responsible for starting and stopping services.
Before you run vSphere Certificate Manager, be sure you understand the replacement process and
procure the certificates that you want to use.
Caution vSphere Certificate Manager supports one level of revert. If you run vSphere Certificate
Manager twice and notice that you unintentionally corrupted your environment, the tool cannot revert the
first of the two runs.
Windows
C:\Program Files\VMware\vCenter Server\vmcad\certificate-manager.bat
Linux
/usr/lib/vmware-vmca/bin/certificate-manager
Procedure
Replace VMCA Root Certificate with Custom Signing Certificate and Replace
All Certificates.
This single-option workflow (Option 2) can be used by itself, or in the intermediate certificate workflow.
See Regenerate a New VMCA Root Certificate and Replace All Certificates.
1 To generate a CSR, select Option 2, Replace VMCA Root certificate with Custom Signing Certificate
and replace all Certificates. You might have to provide some information about the certificate next.
When prompted for an option again, select Option 1.
Submit the CSR to your external or enterprise CA. You receive a signed certificate and a root
certificate from the CA.
2 Combine the VMCA root certificate with the CA root certificate and save the file.
3 Select Option 2, Replace VMCA Root certificate with Custom Signing Certificate and replace all
Certificates. This process replaces all certificates on the local machine.
a First you replace the machine SSL certificate with the (new) VMCA certificate (Option 3).
b Then you replace the solution user certificates with the (new) VMCA certificate (Option 6).
1 You generate certificate signing requests for the machine SSL certificate and the solution user
certificates separately on each machine.
a To generate CSRs for the machine SSL certificate, you select Option 1.
b If company policy requires that you replace all certificates, you also select Option 5.
2 After you received the signed certificates and the root certificate from your CA, you replace the
machine SSL certificate on each machine by using Option 1.
3 If you also want to replace the solution user certificates, you select Option 5.
4 Finally, in a multi-node deployment, you have to repeat the process on each node.
Note Starting in vSphere 6.5, the following prompt appears when you run the Certificate Manager utility:
Respond to the prompt by entering the fully qualified domain name of the machine on which the certificate
configuration is running.
When you replace the existing machine SSL certificate with a new VMCA-signed certificate, vSphere
Certificate Manager prompts you for information and enters all values, except for the password and the IP
address of the Platform Services Controller, into the certool.cfg file.
n Company name
n Organization name
n Organization unit
n State
n Locality
n IP address (optional)
n Email
n Host name, that is, the fully qualified domain name of the machine for which you want to replace the
certificate. If the host name does not match the FQDN, certificate replacement does not complete
correctly and your environment might end up in an unstable state.
n IP address of Platform Services Controller if you are running the command on a management node.
n VMCA name, that is, the fully qualified domain name of the machine on which the certificate
configuration is running.
Prerequisites
You must know the following information when you run vSphere Certificate Manager with this option.
n The FQDN of the machine for which you want to generate a new VMCA-signed certificate. All other
properties default to the predefined values but can be changed.
Procedure
2 Select option 4.
Certificate Manager generates a new VMCA root certificate based on your input and replaces all
certificates on the system where you are running Certificate Manager. If you use an embedded
deployment, the replacement process is complete after Certificate Manager has restarted the
services.
4 If your environment includes an external Platform Services Controller, you have to replace certificates
on each vCenter Server system.
b Stop all services and start the services that handle certificate creation, propagation, and storage.
The service names differ on Windows and the vCenter Server Appliance.
d To replace the machine SSL certificate, run vSphere Certificate Manager with option 3,
Replace Machine SSL certificate with VMCA Certificate.
e To replace the solution user certificates, run Certificate Manager with option 6,
Replace Solution user certificates with VMCA certificates.
To make VMCA an intermediate CA, you have to run Certificate Manager several times. The workflow
gives the complete set of steps for replacing both machine SSL certificates and solution user certificates.
It explains what to do in environments with embedded Platform Services Controller or external Platform
Services Controller.
1 To generate a CSR, select Option 1, Replace Machine SSL certificate with Custom Certificate then
Option 1.
You receive a signed certificate and a root certificate from the CA.
2 Combine the VMCA root certificate with the CA root certificate and save the file.
3 Select Option 2, Replace VMCA Root certificate with Custom Signing Certificate and replace all
Certificates. This process replaces all certificates on the local machine.
a First you replace the machine SSL certificate with the (new) VMCA certificate (Option 3)
b Then you replace the solution user certificates with the (new) VMCA certificate (Option 6).
Procedure
1 Generate CSR with vSphere Certificate Manager and Prepare Root Certificate (Intermediate CA)
You can use vSphere Certificate Manager to generate Certificate Signing Requests (CSRs). Submit
those CSRs to your enterprise CA or to an external certificate authority for signing. You can use the
signed certificates with the different supported certificate replacement processes.
2 Replace VMCA Root Certificate with Custom Signing Certificate and Replace All Certificates
You can use vSphere Certificate Manager to generate a CSR and sent the CSR to an enterprise or
third-party CA for signing. You can then replace the VMCA root certificate with a custom signing
certificate and replace all existing certificates with certificates that are signed by the custom CA.
Generate CSR with vSphere Certificate Manager and Prepare Root Certificate
(Intermediate CA)
You can use vSphere Certificate Manager to generate Certificate Signing Requests (CSRs). Submit those
CSRs to your enterprise CA or to an external certificate authority for signing. You can use the signed
certificates with the different supported certificate replacement processes.
n If you prefer to create the CSR manually, the certificate that you send to be signed must meet the
following requirements.
n PEM format. VMware supports PKCS8 and PKCS1 (RSA keys). When keys are added to VECS,
they are converted to PKCS8.
n x509 version 3
n If you are using custom certificates, the CA extension must be set to true for root certificates, and
cert sign must be in the list of requirements.
n No explicit limit to the length of the certificate chain. VMCA uses the OpenSSL default, which is
10 certificates.
n Certificates with wildcards or with more than one DNS name are not supported.
Prerequisites
vSphere Certificate Manager prompts you for information. The prompts depend on your environment and
on the type of certificate that you want to replace.
For any CSR generation, you are prompted for the password of the [email protected] user, or
for the administrator of the vCenter Single Sign-On domain that you are connecting to.
Procedure
OS Command
Linux /usr/lib/vmware-vmca/bin/certificate-manager
2 Select Option 2.
Initially, you use this option to generate the CSR, not to replace certificates.
3 Supply the password and the Platform Services Controller IP address or host name if prompted.
As part of the process, you have to provide a directory. Certificate Manager places the certificate to
be signed (*.csr file) and the corresponding key file (*.key file) in the directory.
6 Send the CSR to your enterprise or external CA for signing and name the resulting signed certificate
root_signing_cert.cer.
-----BEGIN CERTIFICATE-----
Signed VMCA root certificate
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
CA intermediate certificates
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
Root certificate of enterprise or external CA
-----END CERTIFICATE-----
What to do next
Replace the existing root certificate with the chained root certificate. See Replace VMCA Root Certificate
with Custom Signing Certificate and Replace All Certificates.
Replace VMCA Root Certificate with Custom Signing Certificate and Replace
All Certificates
You can use vSphere Certificate Manager to generate a CSR and sent the CSR to an enterprise or third-
party CA for signing. You can then replace the VMCA root certificate with a custom signing certificate and
replace all existing certificates with certificates that are signed by the custom CA.
You run vSphere Certificate Manager on an embedded installation or on an external Platform Services
Controller to replace the VMCA root certificate with a custom signing certificate.
Prerequisites
n You can use vSphere Certificate Manager to create the CSR or create the CSR manually.
n After you receive the signed certificate from your third-party or enterprise CA, combine it with the
initial VMCA root certificate to create the full chain.
See Generate CSR with vSphere Certificate Manager and Prepare Root Certificate (Intermediate
CA) for certificate requirements and the process of combining the certificates.
Procedure
2 Select option 2 again to start certificate replacement and respond to the prompts.
b If you are replacing certificates for the first time, you are prompted for information to be used for
the machine SSL certificate.
This information includes the required FQDN of the machine and is stored in the certool.cfg
file.
3 If you replace the root certificate on the Platform Services Controller in a multi-node deployment,
follow these steps for each vCenter Server node.
b Regenerate all certificates on the vCenter Server instance by using options 3 (Replace Machine
SSL certificate with VMCA Certificate) and 6 (Replace Solution user certificates with
VMCA certificates).
When you replace the certificates, VMCA signs with the full chain.
What to do next
If you are upgrading from a vSphere 5.x environment, you might have to replace the vCenter Single Sign-
On certificate inside vmdir. See Replace the VMware Directory Service Certificate in Mixed Mode
Environments.
When you replace the existing machine SSL certificate with a new VMCA-signed certificate, vSphere
Certificate Manager prompts you for information and enters all values, except for the password and the IP
address of the Platform Services Controller, into the certool.cfg file.
n Company name
n Organization name
n Organization unit
n State
n Locality
n IP address (optional)
n Email
n Host name, that is, the fully qualified domain name of the machine for which you want to replace the
certificate. If the host name does not match the FQDN, certificate replacement does not complete
correctly and your environment might end up in an unstable state.
n IP address of Platform Services Controller if you are running the command on a management node.
n VMCA name, that is, the fully qualified domain name of the machine on which the certificate
configuration is running.
Prerequisites
n Restart all vCenter Server nodes explicitly if you replaced the VMCA root certificate in a multi-node
deployment.
n You must know the following information to run Certificate Manager with this option.
n The FQDN of the machine for which you want to generate a new VMCA-signed certificate. All
other properties default to the predefined values but can be changed.
n Host name or IP address of the Platform Services Controller if you are running on a vCenter
Server system with an external Platform Services Controller.
Procedure
Prerequisites
n Restart all vCenter Server nodes explicitly if you replaced the VMCA root certificate in a multi-node
deployment.
n You must know the following information to run Certificate Manager with this option.
n Host name or IP address of the Platform Services Controller if you are running on a vCenter
Server system with an external Platform Services Controller.
Procedure
See the VMware knowledge base article at http://kb.vmware.com/kb/2112281 for more information.
One option is to replace only the machine SSL certificate, and to use the solution user certificates that are
provisioned by VMCA. Solution user certificates are used only for communication between vSphere
components.
When you use custom certificates, you replace the VMCA-signed certificates with custom certificates. You
can use the vSphere Client, the vSphere Certificate Manager utility, or CLIs for manual certificate
replacement. Certificates are stored in VECS.
To replace all certificates with custom certificates, you have to run Certificate Manager several times. The
workflow gives the complete set of steps for replacing both machine SSL certificates and solution user
certificates. It explains what to do in environments with embedded Platform Services Controller or
external Platform Services Controller.
1 You generate certificate signing requests for the machine SSL certificate and the solution user
certificates separately on each machine.
a To generate CSRs for the machine SSL certificate, you select Option 1.
b If company policy does not allow a hybrid deployment, you select Option 5.
2 After you received the signed certificates and the root certificate from your CA, you replace the
machine SSL certificate on each machine by using Option 1.
3 If you also want to replace the solution user certificates, you select Option 5.
4 Finally, in a multi-node deployment, you have to repeat the process on each node.
Procedure
1 Generate Certificate Signing Requests with vSphere Certificate Manager (Custom Certificates)
You can use vSphere Certificate Manager to generate Certificate Signing Requests (CSRs) that you
can then use with your enterprise CA or send to an external certificate authority. You can use the
certificates with the different supported certificate replacement processes.
You can run the Certificate Manager tool from the command line as follows:
Windows
C:\Program Files\VMware\vCenter Server\vmcad\certificate-manager.bat
Linux
/usr/lib/vmware-vmca/bin/certificate-manager
Prerequisites
vSphere Certificate Manager prompts you for information. The prompts depend on your environment and
on the type of certificate you want to replace.
n For any CSR generation, you are prompted for the password of the [email protected]
user, or for the administrator of the vCenter Single Sign-On domain that you are connecting to.
n If you are generating a CSR in an environment with an external Platform Services Controller, you are
prompted for the host name or IP address of the Platform Services Controller.
n To generate a CSR for a machine SSL certificate, you are prompted for certificate properties, which
are stored in the certool.cfg file. For most fields, you can accept the default or provide site-specific
values. The FQDN of the machine is required.
Procedure
1 On each machine in your environment, start vSphere Certificate Manager and select option 1.
2 Supply the password and the Platform Services Controller IP address or host name if prompted.
3 Select option 1 to generate the CSR, answer the prompts and exit Certificate Manager.
As part of the process, you have to provide a directory. Certificate Manager places the certificate and
key files in the directory.
4 If you also want to replace all solution user certificates, restart Certificate Manager.
5 Select option 5.
6 Supply the password and the Platform Services Controller IP address or host name if prompted.
7 Select option 1 to generate the CSRs, answer the prompts and exit Certificate Manager.
As part of the process, you have to provide a directory. Certificate Manager places the certificate and
key files in the directory.
On each Platform Services Controller node, Certificate Manager generates one certificate and key
pair. On each vCenter Server node, Certificate Manager generates four certificate and key pairs.
What to do next
Prerequisites
Before you start, you need a CSR for each machine in your environment. You can generate the CSR
using vSphere Certificate Manager or explicitly.
1 To generate the CSR using vSphere Certificate Manager, see Generate Certificate Signing Requests
with vSphere Certificate Manager (Custom Certificates).
2 To generate the CSR explicitly, request a certificate for each machine from your third-party or
enterprise CA. The certificate must meet the following requirements:
n CRT format
n x509 version 3
n Contains the following Key Usages: Digital Signature, Non Repudiation, Key Encipherment
Note Do not use CRL Distribution Points, Authority Information Access, or Certificate Template
Information in any custom certificates.
See also the VMware knowledge base article at http://kb.vmware.com/kb/2112014, Obtaining vSphere
certificates from a Microsoft Certificate Authority.
Procedure
n Valid signing certificate for the custom machine SSL certificate (.crt file).
n If you are running the command on a management node in a multi-node deployment, IP address
of the Platform Services Controller.
What to do next
If you are upgrading from a vSphere 5.x environment, you might have to replace the vCenter Single Sign-
On certificate inside vmdir. See Replace the VMware Directory Service Certificate in Mixed Mode
Environments.
When you are prompted for a solution user certificate, provide the complete signing certificate chain of
the third-party CA.
-----BEGIN CERTIFICATE-----
Signing certificate
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
CA intermediate certificates
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
Root certificate of enterprise or external CA
-----END CERTIFICATE-----
Prerequisites
Before you start, you need a CSR for each machine in your environment. You can generate the CSR
using vSphere Certificate Manager or explicitly.
1 To generate the CSR using vSphere Certificate Manager, see Generate Certificate Signing Requests
with vSphere Certificate Manager (Custom Certificates).
2 Request a certificate for each solution user on each node from your third-party or enterprise CA. You
can generate the CSR using vSphere Certificate Manager or prepare it yourself. The CSR must meet
the following requirements:
n CRT format
n x509 version 3
n Each solution user certificate must have a different Subject. Consider, for example, including the
solution user name (such as vpxd) or other unique identifier.
n Contains the following Key Usages: Digital Signature, Non Repudiation, Key Encipherment
See also the VMware knowledge base article at http://kb.vmware.com/kb/2112014, Obtaining vSphere
certificates from a Microsoft Certificate Authority.
Procedure
n If you run vSphere Certificate Manager on a Platform Services Controller node, you are prompted
for the certificate and key (vpxd.crt and vpxd.key) for the machine solution user.
n If you run vSphere Certificate Manager on a management node or an embedded deployment, you
are prompted for the full set of certificates and keys (vpxd.crt and vpxd.key) for all solution
users.
What to do next
If you are upgrading from a vSphere 5.x environment, you might have to replace the vCenter Single Sign-
On certificate inside vmdir. See Replace the VMware Directory Service Certificate in Mixed Mode
Environments.
Note The revert operation restores what is currently in the BACKUP_STORE. If you run vSphere
Certificate Manager with two different options and you then attempt to revert, only the last operation is
reverted.
When you use this option, you overwrite all custom certificates that are currently in VECS.
n On a Platform Services Controller node, vSphere Certificate Manager can regenerate the root
certificate and replace the machine SSL certificate and the machine solution user certificate.
n On a management node, vSphere Certificate Manager can replace the machine SSL certificate and
all solution user certificates.
You have to stop and start services as part of the certificate replacement process.
n If your environment uses an embedded Platform Services Controller, you start and stop all services,
as discussed in this document.
n If your environment uses an external Platform Services Controller, you do not have to stop and start
VMware Directory Service (vmdird) and VMware Certificate Authority (vmcad) on the vCenter Server
node. Those services run on the Platform Services Controller.
n Do not stop services to generate new public/private key pairs or new certificates.
n If you are the only administrator, you do not have to stop services when you add a new root
certificate. The old root certificate remains available, and all services can still authenticate with that
certificate. Stop and immediately restart all services after you add the root certificate to avoid
problems with your hosts.
n If your environment includes multiple administrators, stop services before you add a new root
certificate and restart services after you add a new certificate.
Use the vSphere Certificate Manager utility to replace certificates for most cases.
If you need fine-grained control, this scenario gives detailed step-by-step instructions for replacing the
complete set of certificates using CLI commands. You can instead replace only individual certificates
using the procedure in the corresponding task.
Prerequisites
Only [email protected] or other users in the CAAdmins group can perform certificate
management tasks. See Add Members to a vCenter Single Sign-On Group.
Procedure
In a multi-node deployment, you run root certificate generation commands on the Platform Services
Controller.
Procedure
The command generates the certificate, adds it to vmdir, and adds it to VECS.
3 Stop all services and start the services that handle certificate creation, propagation, and storage.
The service names differ on Windows and the vCenter Server Appliance.
Note If your environment uses an external Platform Services Controller, you do not have to stop and
start VMware Directory Service (vmdird) and VMware Certificate Authority (vmcad) on the vCenter
Server node. Those services run on the Platform Services Controller.
The command updates all instances of vmdir immediately. If you don't run the command, propagation
of the new certificate to all nodes might take a while.
1 (Optional) List the VMCA root certificate to make sure it is in the certificate store.
output:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
cf:2d:ff:49:88:50:e5:af
...
2 (Optional) List the VECS TRUSTED_ROOTS store and compare the certificate serial number there
with the output from Step 1.
This command works on both Platform Services Controller nodes and management nodes because
VECS polls vmdir.
In the simplest case with only one root certificate, the output looks like this:
3 Generate a new VMCA root certificate. The command adds the certificate to the TRUSTED_ROOTS
store in VECS and in vmdir (VMware Directory Service).
On Windows, --config is optional because the command uses the default certool.cfg file.
Each machine must have a machine SSL certificate for secure communication with other services. In a
multi-node deployment, you must run the Machine SSL certificate generation commands on each node.
Use the --server parameter to point to the Platform Services Controller from a vCenter Server with
external Platform Services Controller.
Prerequisites
Be prepared to stop all services and to start the services that handle certificate propagation and storage.
Procedure
1 Make one copy of certool.cfg for each machine that needs a new certificate.
OS Path
Linux /usr/lib/vmware-vmca/share/config/
2 Edit the custom configuration file for each machine to include that machine's FDQN.
Run NSLookup against the machine’s IP address to see the DNS listing of the name, and use that
name for the Hostname field in the file.
3 Generate a public/private key file pair and a certificate for each file, passing in the configuration file
that you just customized.
For example:
4 Stop all services and start the services that handle certificate creation, propagation, and storage.
The service names differ on Windows and the vCenter Server Appliance.
Note If your environment uses an external Platform Services Controller, you do not have to stop and
start VMware Directory Service (vmdird) and VMware Certificate Authority (vmcad) on the vCenter
Server node. Those services run on the Platform Services Controller.
All machines need the new certificate in the local certificate store to communicate over SSL. You first
delete the existing entry, then add the new entry.
Country = US
Name = vmca-<PSC-FQDN-example>
Organization = <my_company>
OrgUnit = <my_company Engineering>
State = <my_state>
Locality = <mytown>
Hostname = <FQDN>
2 Generate a key pair for the machine SSL certificate. Run this command on each management node
and Platform Services Controller node; it does not require a --server option.
The ssl-key.priv and ssl-key.pub files are created in the current directory.
3 Generate the new machine SSL certificate. This certificate is signed by VMCA. If you replaced the
VMCA root certificate with custom certificate, VMCA signs all certificates with the full chain.
MACHINE_SSL_CERT
TRUSTED_ROOTS
TRUSTED_ROOT_CRLS
machine
5 Replace the Machine SSL certificate in VECS with the new Machine SSL certificate. The --store
and --alias values have to exactly match with the default names.
n On the Platform Services Controller, run the following command to update the Machine SSL
certificate in the MACHINE_SSL_CERT store.
n On each management node or embedded deployment, run the following command to update the
Machine SSL certificate in the MACHINE_SSL_CERT store. You must update the certificate for
each machine separately because each has a different FQDN.
What to do next
You can also replace the certificates for your ESXi hosts. See the vSphere Security publication.
After replacing the root certificate in a multi-node deployment, you must restart services on all vCenter
Server with external Platform Services Controller nodes.
Many VMware customers do not replace solution user certificates. They replace only the machine SSL
certificates with custom certificates. This hybrid approach satisfies the requirements of their security
teams.
You replace the machine solution user certificate on each management node and on each Platform
Services Controller node. You replace the other solution user certificates only on each management
node. Use the --server parameter to point to the Platform Services Controller when you run commands
on a management node with an external Platform Services Controller.
Note When you list solution user certificates in large deployments, the output of dir-cli list includes
all solution users from all nodes. Run vmafd-cli get-machine-id --server-name localhost to find
the local machine ID for each host. Each solution user name includes the machine ID.
Prerequisites
Be prepared to stop all services and to start the services that handle certificate propagation and storage.
Procedure
1 Make one copy of certool.cfg, remove the Name, IP address, DNS name, and email fields, and
rename the file, for example, to sol_usr.cfg.
You can name the certificates from the command line as part of generation. The other information is
not needed for solution users. If you leave the default information, the certificates that are generated
are potentially confusing.
2 Generate a public/private key file pair and a certificate for each solution user, passing in the
configuration file that you just customized.
For example:
You can use the unique ID that is returned when you replace the certificates. The input and output
might look as follows.
When you list solution user certificates in multi-node deployments, the output of dir-cli list includes
all solution users from all nodes. Run vmafd-cli get-machine-id --server-name localhost to
find the local machine ID for each host. Each solution user name includes the machine ID.
4 Stop all services and start the services that handle certificate creation, propagation, and storage.
The service names differ on Windows and the vCenter Server Appliance.
Note If your environment uses an external Platform Services Controller, you do not have to stop and
start VMware Directory Service (vmdird) and VMware Certificate Authority (vmcad) on the vCenter
Server node. Those services run on the Platform Services Controller.
5 For each solution user, replace the existing certificate in vmdir and then in VECS.
The following example shows how to replace the certificates for the vpxd service.
Note Solution users cannot authenticate to vCenter Single Sign-On if you do not replace the
certificate in vmdir.
a Generate a key pair for the machine solution user of an embedded deployment or for the machine
solution user of the Platform Services Controller.
b (Optional) For deployments with an external Platform Services Controller, generate a key pair for
the machine solution user on each management node.
c Generate a key pair for the vpxd solution user on each management node.
d Generate a key pair for the vpxd-extension solution user on each management node.
e Generate a key pair for the vsphere-webclient solution user on each management node.
2 Generate solution user certificates that are signed by the new VMCA root certificate for the machine
solution user on each Platform Services Controller and each management node and for each
additional solution user (vpxd, vpxd-extension, vsphere-webclient) on each management node.
Note The --Name parameter has to be unique. Including the name of the solution user store name
makes it easy to see which certificate maps to which solution user. The example includes the name,
for example vpxd or vpxd-extension in each case.
a Run the following command on the Platform Services Controller node to generate a solution user
certificate for the machine solution user on that node.
b Generate a certificate for the machine solution user on each management node.
c Generate a certificate for the vpxd solution user on each management node.
d Generate a certificate for the vpxd-extensions solution user on each management node.
e Generate a certificate for the vsphere-webclient solution user on each management node by
running the following command.
3 Replace the solution user certificates in VECS with the new solution user certificates.
Note The --store and --alias parameters have to exactly match the default names for services.
a On the Platform Services Controller node, run the following command to replace the machine
solution user certificate:
4 Update VMware Directory Service (vmdir) with the new solution user certificates. You are prompted
for a vCenter Single Sign-On administrator password.
a Run dir-cli service list to get the unique service ID suffix for each solution user. You can
run this command on a Platform Services Controller or a vCenter Server system.
Note When you list solution user certificates in large deployments, the output of dir-cli list
includes all solution users from all nodes. Run vmafd-cli get-machine-id --server-name
localhost to find the local machine ID for each host. Each solution user name includes the
machine ID.
b Replace the machine certificate in vmdir on the Platform Services Controller. For example, if
machine-29a45d00-60a7-11e4-96ff-00505689639a is the machine solution user on the Platform
Services Controller, run this command:
c Replace the machine certificate in vmdir on each management node. For example, if
machine-6fd7f140-60a9-11e4-9e28-005056895a69 is the machine solution user on the vCenter
Server, run this command:
d Replace the vpxd solution user certificate in vmdir on each management node. For example, if
vpxd-6fd7f140-60a9-11e4-9e28-005056895a69 is the vpxd solution user ID, run this command:
e Replace the vpxd-extension solution user certificate in vmdir on each management node. For
example, if vpxd-extension-6fd7f140-60a9-11e4-9e28-005056895a69 is the vpxd-extension
solution user ID, run this command:
f Replace the vsphere-webclient solution user certificate on each management node. For example,
if vsphere-webclient-6fd7f140-60a9-11e4-9e28-005056895a69 is the vsphere-webclient solution
user ID, run this command:
What to do next
Restart all services on each Platform Services Controller node and each management node.
The VMware Directory Service SSL certificate is used by vmdir to perform handshakes between Platform
Services Controller nodes that perform vCenter Single Sign-On replication.
These steps are not required for a mixed mode environment that includes vSphere 6.0 and vSphere 6.5
nodes. These steps are required only if:
n Your environment includes both vCenter Single Sign-On 5.5 and vCenter Single Sign-On 6.x services.
n The vCenter Single Sign-On services are set up to replicate vmdir data.
n You plan to replace the default VMCA-signed certificates with custom certificates for the node on
which the vCenter Single Sign-On 6.x service runs.
Note Upgrading the complete environment before restarting the services is best practice. Replacing the
VMware Directory Service certificate is not usually recommended.
Procedure
1 On the node on which the vCenter Single Sign-On 5.5 service runs, set up the environment so the
vCenter Single Sign-On 6.x service is known.
b Make a copy of the vmdircert.pem file on the 6.x node, and rename it to
<sso_node2.domain.com>.pem, where <sso_node2.domain.com> is the FQDN of the 6.x node.
2 Restart the VMware Directory Service on all machines where you replaced certificates.
You can restart the service from the vSphere Client or use the service-control command.
Procedure
You can use the Certificate Manager utility or other tool to generate the CSR. The CSR must meet the
following requirements:
n PEM format. VMware supports PKCS8 and PKCS1 (RSA keys). When keys are added to VECS, they
are converted to PKCS8.
n x509 version 3
n If you are using custom certificates, the CA extension must be set to true for root certificates, and cert
sign must be in the list of requirements.
n No explicit limit to the length of the certificate chain. VMCA uses the OpenSSL default, which is 10
certificates.
n Certificates with wildcards or with more than one DNS name are not supported.
VMCA validates the following certificate attributes when you replace the root certificate:
Procedure
2 Prepare a certificate file that includes the signed VMCA certificate and the full CA chain of your third-
party CA or enterprise CA. Save the file, for example as rootca1.crt.
You can accomplish this step by copying all CA certificates in PEM format into a single file. You start
with the VMCA root certificate and end up with the root CA PEM certificate. For example:
-----BEGIN CERTIFICATE-----
<Certificate of VMCA>
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
<Certificate of intermediary CA>
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
<Certificate of Root CA>
-----END CERTIFICATE-----
3 Stop all services and start the services that handle certificate creation, propagation, and storage.
The service names differ on Windows and the vCenter Server Appliance.
Note If your environment uses an external Platform Services Controller, you do not have to stop and
start VMware Directory Service (vmdird) and VMware Certificate Authority (vmcad) on the vCenter
Server node. Those services run on the Platform Services Controller.
n Adds the new custom root certificate to the certificate location in the file system.
n Appends the custom root certificate to the TRUSTED_ROOTS store in VECS (after a delay).
5 (Optional) To propagate the change to all instances of vmdir (VMware Directory Service), publish the
new root certificate to vmdir, supplying the full file path for each file.
For example:
Replication between vmdir nodes happens every 30 seconds. You do not have to add the root
certificate to VECS explicitly because VECS polls vmdir for new root certificate files every 5 minutes.
vecs-cli force-refresh
n Adds the new custom root certificate to the certificate location in the file system.
What to do next
You can remove the original VMCA root certificate from the certificate store if your company policy
requires it. If you do, you have to replace the vCenter Single Sign-On Signing certificate. See Refresh the
Security Token Service Certificate.
These steps are essentially the same as the steps for replacing with a certificate that uses VMCA as the
certificate authority. However, in this case, VMCA signs all certificates with the full chain.
Each machine must have a machine SSL certificate for secure communication with other services. In a
multi-node deployment, you must run the Machine SSL certificate generation commands on each node.
Use the --server parameter to point to the Platform Services Controller from a vCenter Server with
external Platform Services Controller.
Prerequisites
For each machine SSL certificate, the SubjectAltName must contain DNS Name=<Machine FQDN>.
Procedure
1 Make one copy of certool.cfg for each machine that needs a new certificate.
Linux /usr/lib/vmware-vmca/share/config/
2 Edit the custom configuration file for each machine to include that machine's FDQN.
Run NSLookup against the machine’s IP address to see the DNS listing of the name, and use that
name for the Hostname field in the file.
3 Generate a public/private key file pair and a certificate for each machine, passing in the configuration
file that you just customized.
For example:
4 Stop all services and start the services that handle certificate creation, propagation, and storage.
The service names differ on Windows and the vCenter Server Appliance.
Note If your environment uses an external Platform Services Controller, you do not have to stop and
start VMware Directory Service (vmdird) and VMware Certificate Authority (vmcad) on the vCenter
Server node. Those services run on the Platform Services Controller.
All machines need the new certificate in the local certificate store to communicate over SSL. You first
delete the existing entry, then add the new entry.
Country = US
Name = vmca-<PSC-FQDN-example>
Organization = VMware
OrgUnit = VMware Engineering
State = California
Locality = Palo Alto
Hostname = <FQDN>
2 Generate a key pair for the machine SSL certificate. Run this command on each management node
and Platform Services Controller node; it does not require a --server option.
The ssl-key.priv and ssl-key.pub files are created in the current directory.
3 Generate the new machine SSL certificate. This certificate is signed by VMCA. If you replaced the
VMCA root certificate with custom certificate, VMCA signs all certificates with the full chain.
MACHINE_SSL_CERT
TRUSTED_ROOTS
TRUSTED_ROOT_CRLS
machine
5 Replace the Machine SSL certificate in VECS with the new Machine SSL certificate. The --store
and --alias values have to exactly match with the default names.
n On the Platform Services Controller, run the following command to update the Machine SSL
certificate in the MACHINE_SSL_CERT store.
n On each management node or embedded deployment, run the following command to update the
Machine SSL certificate in the MACHINE_SSL_CERT store. You must update the certificate for
each machine separately because each has a different FQDN.
Many VMware customers do not replace solution user certificates. They replace only the machine SSL
certificates with custom certificates. This hybrid approach satisfies the requirements of their security
teams.
You replace the machine solution user certificate on each management node and on each Platform
Services Controller node. You replace the other solution user certificates only on each management
node. Use the --server parameter to point to the Platform Services Controller when you run commands
on a management node with an external Platform Services Controller.
Note When you list solution user certificates in large deployments, the output of dir-cli list includes
all solution users from all nodes. Run vmafd-cli get-machine-id --server-name localhost to find
the local machine ID for each host. Each solution user name includes the machine ID.
Prerequisites
Each solution user certificate must have a different Subject. Consider, for example, including the solution
user name (such as vpxd) or other unique identifier.
Procedure
1 Make one copy of certool.cfg, remove the Name, IP address, DNS name, and email fields, and
rename the file, for example, to sol_usr.cfg.
You can name the certificates from the command line as part of generation. The other information is
not needed for solution users. If you leave the default information, the certificates that are generated
are potentially confusing.
2 Generate a public/private key file pair and a certificate for each solution user, passing in the
configuration file that you just customized.
For example:
You can use the unique ID that is returned when you replace the certificates. The input and output
might look as follows.
When you list solution user certificates in multi-node deployments, the output of dir-cli list includes
all solution users from all nodes. Run vmafd-cli get-machine-id --server-name localhost to
find the local machine ID for each host. Each solution user name includes the machine ID.
4 Stop all services and start the services that handle certificate creation, propagation, and storage.
The service names differ on Windows and the vCenter Server Appliance.
Note If your environment uses an external Platform Services Controller, you do not have to stop and
start VMware Directory Service (vmdird) and VMware Certificate Authority (vmcad) on the vCenter
Server node. Those services run on the Platform Services Controller.
For solution users, you must add the certificates in that order. For example:
Note Solution users cannot log in to vCenter Single Sign-On if you don't replace the certificate in
vmdir.
a Generate a key pair for the machine solution user of an embedded deployment or for the machine
solution user of the Platform Services Controller.
b (Optional) For deployments with an external Platform Services Controller, generate a key pair for
the machine solution user on each management node.
c Generate a key pair for the vpxd solution user on each management node.
d Generate a key pair for the vpxd-extension solution user on each management node.
e Generate a key pair for the vsphere-webclient solution user on each management node.
2 Generate solution user certificates that are signed by the new VMCA root certificate for the machine
solution user on each Platform Services Controller and each management node and for each
additional solution user (vpxd, vpxd-extension, vsphere-webclient) on each management node.
Note The --Name parameter has to be unique. Including the name of the solution user store name
makes it easy to see which certificate maps to which solution user. The example includes the name,
for example vpxd or vpxd-extension in each case.
a Run the following command on the Platform Services Controller node to generate a solution user
certificate for the machine solution user on that node.
b Generate a certificate for the machine solution user on each management node.
c Generate a certificate for the vpxd solution user on each management node.
d Generate a certificate for the vpxd-extensions solution user on each management node.
e Generate a certificate for the vsphere-webclient solution user on each management node by
running the following command.
3 Replace the solution user certificates in VECS with the new solution user certificates.
Note The --store and --alias parameters have to exactly match the default names for services.
a On the Platform Services Controller node, run the following command to replace the machine
solution user certificate:
4 Update VMware Directory Service (vmdir) with the new solution user certificates. You are prompted
for a vCenter Single Sign-On administrator password.
a Run dir-cli service list to get the unique service ID suffix for each solution user. You can
run this command on a Platform Services Controller or a vCenter Server system.
Note When you list solution user certificates in large deployments, the output of dir-cli list
includes all solution users from all nodes. Run vmafd-cli get-machine-id --server-name
localhost to find the local machine ID for each host. Each solution user name includes the
machine ID.
b Replace the machine certificate in vmdir on the Platform Services Controller. For example, if
machine-29a45d00-60a7-11e4-96ff-00505689639a is the machine solution user on the Platform
Services Controller, run this command:
c Replace the machine certificate in vmdir on each management node. For example, if
machine-6fd7f140-60a9-11e4-9e28-005056895a69 is the machine solution user on the vCenter
Server, run this command:
d Replace the vpxd solution user certificate in vmdir on each management node. For example, if
vpxd-6fd7f140-60a9-11e4-9e28-005056895a69 is the vpxd solution user ID, run this command:
e Replace the vpxd-extension solution user certificate in vmdir on each management node. For
example, if vpxd-extension-6fd7f140-60a9-11e4-9e28-005056895a69 is the vpxd-extension
solution user ID, run this command:
f Replace the vsphere-webclient solution user certificate on each management node. For example,
if vsphere-webclient-6fd7f140-60a9-11e4-9e28-005056895a69 is the vsphere-webclient solution
user ID, run this command:
The VMware Directory Service SSL certificate is used by vmdir to perform handshakes between Platform
Services Controller nodes that perform vCenter Single Sign-On replication.
These steps are not required for a mixed mode environment that includes vSphere 6.0 and vSphere 6.5
nodes. These steps are required only if:
n Your environment includes both vCenter Single Sign-On 5.5 and vCenter Single Sign-On 6.x services.
n The vCenter Single Sign-On services are set up to replicate vmdir data.
n You plan to replace the default VMCA-signed certificates with custom certificates for the node on
which the vCenter Single Sign-On 6.x service runs.
Note Upgrading the complete environment before restarting the services is best practice. Replacing the
VMware Directory Service certificate is not usually recommended.
Procedure
1 On the node on which the vCenter Single Sign-On 5.5 service runs, set up the environment so the
vCenter Single Sign-On 6.x service is known.
b Make a copy of the vmdircert.pem file on the 6.x node, and rename it to
<sso_node2.domain.com>.pem, where <sso_node2.domain.com> is the FQDN of the 6.x node.
2 Restart the VMware Directory Service on all machines where you replaced certificates.
You can restart the service from the vSphere Client or use the service-control command.
You can replace all certificates or use a hybrid solution. For example, consider replacing all certificates
that are used for network traffic but leaving VMCA-signed solution user certificates. Solution user
certificates are used only for authentication to vCenter Single Sign-On.
Note If you do not want to use VMCA, you are responsible for replacing all certificates yourself, for
provisioning new components with certificates, and for keeping track of certificate expiration.
Even if you decide to use custom certificates, you can still use the VMware Certificate Manager utility for
certificate replacement. See Replace All Certificates with Custom Certificate (Certificate Manager).
If you encounter problems with vSphere Auto Deploy after replacing certificates, see the VMware
knowledge base article at http://kb.vmware.com/kb/2000988.
Procedure
Prerequisites
n PEM format. VMware supports PKCS8 and PKCS1 (RSA keys). When keys are added to VECS, they
are converted to PKCS8.
n x509 version 3
n For root certificates, the CA extension must be set to true, and the cert sign must be in the list of
requirements.
n CRT format
n Contains the following Key Usages: Digital Signature, Non Repudiation, Key Encipherment
n CN (and SubjectAltName) set to the host name (or IP address) that the ESXi host has in the vCenter
Server inventory.
Procedure
1 Send CSRs for the following certificates to your enterprise or third-party certificate provider.
n A machine SSL certificate for each machine. For the machine SSL certificate, the
SubjectAltName field must contain the fully qualified domain name (DNS
NAME=machine_FQDN).
n Optionally, four solution user certificates for each embedded system or management node.
Solution user certificates should not include IP address, host name, or email address. Each
certificate must have a different certificate Subject.
n Optionally, a machine solution user certificate for external Platform Services Controller instances.
This certificate differs from the machine SSL certificate for the Platform Services Controller.
Typically, the result is a PEM file for the trusted chain, plus the signed SSL certificates for each
Platform Services Controller or management node.
a Ensure that the current root certificate and all machine SSL certificates are signed by VMCA.
c (Optional) With a Web browser, open an HTTPS connection to a node where the certificate will be
replaced, check the certificate information, and ensure that it matches the machine SSL
certificate.
3 Stop all services and start the services that handle certificate creation, propagation, and storage.
The service names differ on Windows and the vCenter Server Appliance.
Note If your environment uses an external Platform Services Controller, you do not have to stop and
start VMware Directory Service (vmdird) and VMware Certificate Authority (vmcad) on the vCenter
Server node. Those services run on the Platform Services Controller.
If you do not specify a user name and password on the command line, you are prompted.
What to do next
You can remove the original VMCA root certificate from the certificate store if company policy requires it.
If you do, you have to refresh the vCenter Single Sign-On certificate. See Refresh the Security Token
Service Certificate.
Each machine must have a machine SSL certificate for secure communication with other services. In a
multi-node deployment, you must run the Machine SSL certificate generation commands on each node.
Use the --server parameter to point to the Platform Services Controller from a vCenter Server with
external Platform Services Controller.
You must have the following information before you can start replacing the certificates:
n If you are running the command on a vCenter Server with external Platform Services Controller in a
multi-node deployment, IP address of the Platform Services Controller.
Prerequisites
You must have received a certificate for each machine from your third-party or enterprise CA.
n CRT format
n x509 version 3
n Contains the following Key Usages: Digital Signature, Non Repudiation, Key Encipherment
Procedure
1 Stop all services and start the services that handle certificate creation, propagation, and storage.
The service names differ on Windows and the vCenter Server Appliance.
Note If your environment uses an external Platform Services Controller, you do not have to stop and
start VMware Directory Service (vmdird) and VMware Certificate Authority (vmcad) on the vCenter
Server node. Those services run on the Platform Services Controller.
2 Log in to each node and add the new machine certificates that you received from the CA to VECS.
All machines need the new certificate in the local certificate store to communicate over SSL.
Many VMware customers do not replace solution user certificates. They replace only the machine SSL
certificates with custom certificates. This hybrid approach satisfies the requirements of their security
teams.
Solution users use certificates only to authenticate to vCenter Single Sign-On. If the certificate is valid,
vCenter Single Sign-On assigns a SAML token to the solution user, and the solution user uses the SAML
token to authenticate to other vCenter components.
You replace the machine solution user certificate on each management node and on each Platform
Services Controller node. You replace the other solution user certificates only on each management
node. Use the --server parameter to point to the Platform Services Controller when you run commands
on a management node with an external Platform Services Controller.
Note When you list solution user certificates in large deployments, the output of dir-cli list includes
all solution users from all nodes. Run vmafd-cli get-machine-id --server-name localhost to find
the local machine ID for each host. Each solution user name includes the machine ID.
Prerequisites
n CRT format
n x509 version 3
n Each solution user certificate must have a different Subject. Consider, for example, including the
solution user name (such as vpxd) or other unique identifier.
n Contains the following Key Usages: Digital Signature, Non Repudiation, Key Encipherment
Procedure
1 Stop all services and start the services that handle certificate creation, propagation, and storage.
You can use the unique ID that is returned when you replace the certificates. The input and output
might look as follows.
When you list solution user certificates in multi-node deployments, the output of dir-cli list includes
all solution users from all nodes. Run vmafd-cli get-machine-id --server-name localhost to
find the local machine ID for each host. Each solution user name includes the machine ID.
3 For each solution user, replace the existing certificate in VECS and then in vmdir.
Note Solution users cannot authenticate to vCenter Single Sign-On if you do not replace the
certificate in vmdir.
The VMware Directory Service SSL certificate is used by vmdir to perform handshakes between Platform
Services Controller nodes that perform vCenter Single Sign-On replication.
These steps are not required for a mixed mode environment that includes vSphere 6.0 and vSphere 6.5
nodes. These steps are required only if:
n Your environment includes both vCenter Single Sign-On 5.5 and vCenter Single Sign-On 6.x services.
n The vCenter Single Sign-On services are set up to replicate vmdir data.
n You plan to replace the default VMCA-signed certificates with custom certificates for the node on
which the vCenter Single Sign-On 6.x service runs.
Note Upgrading the complete environment before restarting the services is best practice. Replacing the
VMware Directory Service certificate is not usually recommended.
Procedure
1 On the node on which the vCenter Single Sign-On 5.5 service runs, set up the environment so the
vCenter Single Sign-On 6.x service is known.
b Make a copy of the vmdircert.pem file on the 6.x node, and rename it to
<sso_node2.domain.com>.pem, where <sso_node2.domain.com> is the FQDN of the 6.x node.
2 Restart the VMware Directory Service on all machines where you replaced certificates.
You can restart the service from the vSphere Client or use the service-control command.
You normally access the CLI tools for managing certificates and associated services by using SSH to
connect to the appliance shell. See the VMware knowledge base article at http://kb.vmware.com/kb/
2100508 for more information.
Manual Certificate Replacement gives examples for replacing certificates using CLI commands.
Table 4-1. CLI Tools for Managing Certificates and Associated Services
CLI Description See
certool Generate and manage certificates and certool Initialization Commands Reference
keys. Part of VMCAD, the VMware
Certificate Management service.
service-control Start or stop services, for example as Run this command to stop services before
part of a certificate replacement running other CLI commands.
workflow.
CLI Locations
By default, you find the CLIs in the following locations on each node.
Linux /usr/lib/vmware-vmafd/bin/vecs-cli
/usr/lib/vmware-vmafd/bin/dir-cli
/usr/lib/vmware-vmca/bin/certool
/opt/vmware/bin
On Linux, the service-control command does not require that you
specify the path.
If you run commands from a vCenter Server system with an external Platform Services Controller, you
can specify the Platform Services Controller with the --server parameter.
dir-cli You must be a member of the Administrators group in the local domain
(vsphere.local by default) to run dir-cli commands. If you do not specify
a user name and password, you are prompted for the password for the
administrator of the local vCenter Single Sign-On domain,
[email protected] by default.
vecs-cli Initially, only the store owner and users with blanket access privileges have
access to a store. Users in the Administrators group on Windows and root
users on Linux have blanket access privileges.
certool Most of the certool commands require that the user is in the
Administrators group. All users can run the following commands.
n genselfcacert
n initscr
n getdc
n waitVMDIR
n waitVMCA
n genkey
n viewcert
OS Location
Linux /usr/lib/vmware-vmca/share/config/
The file has several fields with the following default values:
Country = US
Name= Acme
Organization = AcmeOrg
OrgUnit = AcmeOrg Engineering
State = California
Locality = Palo Alto
IPAddress = 127.0.0.1
Email = [email protected]
Hostname = server.acme.com
You can change the values by specifying a modified file on the command line, or by overriding individual
values on the command line, as follows.
n Create a copy of the configuration file and edit the file. Use the --config command-line option to
specify the file. Specify the full path to avoid path name issues.
n Override individual values on the command line. For example, to override Locality, run this command:
Specify --Name to replace the CN field of the Subject name of the certificate.
n For solution user certificates, the name is <sol_user name>@<domain> by convention, but you can
change the name if a different convention is used in your environment.
VMCA allows only one DNSName (in the Hostname field) and no other Alias options. If the IP address
is specified by the user, it is stored in SubAltName as well.
In many cases, you pass a configuration file in to a certool command. See Changing the certool
Configuration Options. See Replace Existing VMCA-Signed Certificates With New VMCA-Signed
Certificates for some usage examples. The command-line help provides details about the options.
certool --initcsr
Generates a Certificate Signing Request (CSR). The command generates a PKCS10 file and a private
key.
Option Description
--csrfile <csr_file> File name for the CSR file to be sent to the CA provider.
Example:
certool --selfca
Creates a self-signed certificate and provisions the VMCA server with a self-signed root CA. Using this
option is one of the simplest ways to provision the VMCA server. You can instead provision the VMCA
server with a third-party root certificate so that VMCA is an intermediate CA. See Use VMCA as an
Intermediate Certificate Authority.
This command generates a certificate that is predated by three days to avoid time zone conflicts.
Option Description
--predate <number_of_minutes> Allows you to set the Valid Not Before field of the root certificate
to the specified number of minutes before the current time. This
option can be helpful to account for potential time zone issues.
The maximum is three days.
--server <server> Optional name of the VMCA server. By default, the command
uses localhost.
Example:
certool --rootca
Imports a root certificate. Adds the specified certificate and private key to VMCA. VMCA always uses the
most recent root certificate for signing, but other root certificates remain trusted until you manually delete
them. That means you can update your infrastructure one step at a time, and finally delete certificates
that you no longer use.
Option Description
--privkey <key_file> Name of the private key file. This file must be in PEM encoded
format.
--server <server> Optional name of the VMCA server. By default, the command
uses localhost.
Example:
certool --getdc
Returns the default domain name that is used by vmdir.
Option Description
--server <server> Optional name of the VMCA server. By default, the command
uses localhost.
Example:
certool --getdc
certool --waitVMDIR
Wait until the VMware Directory Service is running or until the timeout specified by --wait has elapsed.
Use this option in conjunction with other options to schedule certain tasks, for example returning the
default domain name.
Option Description
--server <server> Optional name of the VMCA server. By default, the command
uses localhost.
Example:
certool --waitVMCA
Wait until the VMCA service is running or until the specified timeout has elapsed. Use this option in
conjunction with other options to schedule certain tasks, for example, generating a certificate.
Option Description
--server <server> Optional name of the VMCA server. By default, the command
uses localhost.
Example:
certool --publish-roots
Forces an update of root certificates. This command requires administrative privileges.
Option Description
--server <server> Optional name of the VMCA server. By default, the command
uses localhost.
Example:
certool --publish-roots
certool --genkey
Generates a private and public key pair. Those files can then be used to generate a certificate that is
signed by VMCA.
Option Description
--server <server> Optional name of the VMCA server. By default, the command
uses localhost.
Example:
certool --gencert
Generates a certificate from the VMCA server. This command uses the information in certool.cfg or in
the specified configuration file. You can use the certificate to provision machine certificates or solution
user certificates.
Option Description
--cert <certfile> Name of the certificate file. This file must be in PEM encoded
format.
--privkey <keyfile> Name of the private key file. This file must be in PEM encoded
format.
--server <server> Optional name of the VMCA server. By default, the command
uses localhost.
Example:
certool --getrootca
Prints the current root CA certificate in human-readable form. If you are running this command from a
management node, use the machine name of the Platform Services Controller node to retrieve the root
CA. This output is not usable as a certificate, it is changed to be human readable.
Option Description
--server <server> Optional name of the VMCA server. By default, the command
uses localhost.
Example:
certool --viewcert
Print all the fields in a certificate in human-readable form.
Option Description
Example:
certool --enumcert
List all certificates that the VMCA server knows about. The required filter option lets you list all
certificates or only revoked, active, or expired certificates.
Option Description
--filter [all | active] Required filter. Specify all or active. The revoked and expired
options are not currently supported.
Example:
certool --status
Sends a specified certificate to the VMCA server to check whether the certificate has been revoked.
Prints Certificate: REVOKED if the certificate is revoked, and Certificate: ACTIVE otherwise.
Option Description
--server <server> Optional name of the VMCA server. By default, the command
uses localhost.
Example:
certool --genselfcacert
Generates a self-signed certificate based on the values in the configuration file. This command generates
a certificate that is predated by three days to avoid time zone conflicts.
Option Description
--outcert <cert_file> Name of the certificate file. This file must be in PEM encoded
format.
--outprivkey <key_file> Name of the private key file. This file must be in PEM encoded
format.
Example:
Option Description
--server <server-name> Used to specify a server name if you connect to a remote VECS
instance.
--upn <user-name> User Principle Name that is used to log in to the server instance
specified by --server <server-name> . When you create a
store, it is created in the context of the current user. Therefore,
the owner of the store is the current user context and not always
the root user.
Example:
Option Description
--server <server-name> Used to specify a server name if you connect to a remote VECS
instance.
--upn <user-name> User Principle Name that is used to log in to the server instance
specified by --server <server-name> . When you create a
store, it is created in the context of the current user. Therefore,
the owner of the store is the current user context and not always
the root user.
Example:
Option Description
--server <server-name> Used to specify a server name if you connect to a remote VECS
instance.
--upn <user-name> User Principle Name that is used to log in to the server instance
specified by --server <server-name> . When you create a
store, it is created in the context of the current user. Therefore,
the owner of the store is the current user context and not always
the root user.
Machine SSL store (MACHINE_SSL_CERT) n Used by the reverse proxy service on every vSphere node.
n Used by the VMware Directory Service (vmdir) on
embedded deployments and on each Platform Services
Controller node.
All services in vSphere 6.0 and later communicate through a
reverse proxy, which uses the machine SSL certificate. For
backward compatibility, the 5.x services still use specific ports.
As a result, some services such as vpxd still have their own port
open.
Solution user stores VECS includes one store for each solution user. The subject of
n machine each solution user certificate must be unique, for example, the
machine certificate cannot have the same subject as the vpxd
n vpxd
certificate.
n vpxd-extension
Solution user certificates are used for authentication with
n vsphere-webclient
vCenter Single Sign-On. vCenter Single Sign-On checks that the
certificate is valid, but does not check other certificate attributes.
In an embedded deployment, all solution user certificates are on
the same system.
The following solution user certificate stores are included in
VECS on each management node and each embedded
deployment:
n machine: Used by the license server and the logging service.
vSphere Certificate Manager Utility backup store Used by VMCA (VMware Certificate Manager) to support
(BACKUP_STORE) certificate revert. Only the most recent state is stored as a
backup, you cannot go back more than one step.
Other stores Other stores might be added by solutions. For example, the
Virtual Volumes solution adds an SMS store. Do not modify the
certificates in those stores unless VMware documentation or a
VMware Knowledge Base article instructs you to do so.
Example:
The owner of the store can perform all operations, including granting and revoking permissions. The
administrator of the local vCenter Single Sign-On domain, [email protected] by default, has all
privileges on all stores, including granting and revoking permissions.
You can use vecs-cli get-permissions --name <store-name> to retrieve the current settings for the
store.
Option Description
Option Description
--server <server-name> Used to specify a server name if you connect to a remote VECS
instance.
--upn <user-name> User Principle Name that is used to log in to the server instance
specified by --server <server-name> . When you create a
store, it is created in the context of the current user. Therefore,
the owner of the store is the current user context and not always
the root user.
Option Description
--alias <Alias> Optional alias for the certificate. This option is ignored for the
trusted root store.
--key <key-file-path> Full path of the key that corresponds to the certificate.
Optional.
--server <server-name> Used to specify a server name if you connect to a remote VECS
instance.
--upn <user-name> User Principle Name that is used to log in to the server instance
specified by --server <server-name> . When you create a
store, it is created in the context of the current user. Therefore,
the owner of the store is the current user context and not always
the root user.
Option Description
Option Description
Option Description
--server <server-name> Used to specify a server name if you connect to a remote VECS
instance.
--upn <user-name> User Principle Name that is used to log in to the server instance
specified by --server <server-name> . When you create a
store, it is created in the context of the current user. Therefore,
the owner of the store is the current user context and not always
the root user.
Option Description
--server <server-name> Used to specify a server name if you connect to a remote VECS
instance.
--upn <user-name> User Principle Name that is used to log in to the server instance
specified by --server <server-name> . When you create a
store, it is created in the context of the current user. Therefore,
the owner of the store is the current user context and not always
the root user.
Option Description
--server <server-name> Used to specify a server name if you connect to a remote VECS
instance.
Option Description
--upn <user-name> User Principle Name that is used to log in to the server instance
specified by --server <server-name> . When you create a
store, it is created in the context of the current user. Therefore,
the owner of the store is the current user context and not always
the root user.
vecs-cli force-refresh
Forces a refresh of VECS. By default, VECS polls vmdir for new root certificate files every 5 minutes. Use
this command for an immediate update of VECS from vmdir.
Option Description
--server <server-name> Used to specify a server name if you connect to a remote VECS
instance.
--upn <user-name> User Principle Name that is used to log in to the server instance
specified by --server <server-name> . When you create a
store, it is created in the context of the current user. Therefore,
the owner of the store is the current user context and not always
the root user.
Option Description
--login <admin_user_id> The administrator of the local vCenter Single Sign-On domain,
[email protected] by default.
--password <admin_password> Password of the administrator user. If you do not specify the
password, you are prompted.
--server <psc_ip_or_fqdn> Use this option if you do not want to target the affinitized
Platform Services Controller. Specify the IP address or FQDN of
the Platform Services Controller;
Option Description
--login <admin_user_id> The administrator of the local vCenter Single Sign-On domain,
[email protected] by default.
--password <admin_password> Password of the administrator user. If you do not specify the
password, you are prompted.
--live-dc-hostname <server name> Current name of the Platform Services Controller instance.
Option Description
--cert <cert file> Path to the certificate file. This can be a certificate signed by
VMCA or a third-party certificate.
--ssogroups <comma-separated-groupnames> Makes the solution user a member of the specified groups.
--wstrustrole <ActAsUser> Makes the solution user a member of the built-in administrators
or users group. In other words, determines whether the solution
user has administrative privileges.
--ssoadminrole <Administrator/User> Makes the solution user a member of the ActAsUser group. The
ActAsUser role enables users to act on behalf of other users.
--login <admin_user_id> The administrator of the local vCenter Single Sign-On domain,
[email protected] by default.
--password <admin_password> Password of the administrator user. If you do not specify the
password, you are prompted.
Option Description
--login <admin_user_id> The administrator of the local vCenter Single Sign-On domain,
[email protected] by default.
--password <admin_password> Password of the administrator user. If you do not specify the
password, you are prompted.
Option Description
--login <admin_user_id> The administrator of the local vCenter Single Sign-On domain,
[email protected] by default.
--password <admin_password> Password of the administrator user. If you do not specify the
password, you are prompted.
Option Description
--login <admin_user_id> The administrator of the local vCenter Single Sign-On domain,
[email protected] by default.
--password <admin_password> Password of the administrator user. If you do not specify the
password, you are prompted.
Option Description
--login <admin_user_id> The administrator of the local vCenter Single Sign-On domain,
[email protected] by default.
--password <admin_password> Password of the administrator user. If you do not specify the
password, you are prompted.
Option Description
--password-never-expires Set this option to true if you are creating a user account for
automated tasks that have to authenticate to Platform Services
Controller, and you want to ensure that the tasks do not stop
running because of password expiration.
Use this option with care.
--login <admin_user_id> The administrator of the local vCenter Single Sign-On domain,
[email protected] by default.
--password <admin_password> Password of the administrator user. If you do not specify the
password, you are prompted.
Option Description
--login <admin_user_id> The administrator of the local vCenter Single Sign-On domain,
[email protected] by default.
--password <admin_password> Password of the administrator user. If you do not specify the
password, you are prompted.
Option Description
--login <admin_user_id> The administrator of the local vCenter Single Sign-On domain,
[email protected] by default.
--password <admin_password> Password of the administrator user. If you do not specify the
password, you are prompted.
Option Description
--login <admin_user_id> The administrator of the local vCenter Single Sign-On domain,
[email protected] by default.
--password <admin_password> Password of the administrator user. If you do not specify the
password, you are prompted.
Option Description
--name <name> Optional name of the group in vmdir. This option allows you to
check whether a specific group exists.
--login <admin_user_id> The administrator of the local vCenter Single Sign-On domain,
[email protected] by default.
--password <admin_password> Password of the administrator user. If you do not specify the
password, you are prompted.
Use this command if you want to create groups to manage user permissions for the vCenter Single Sign-
On domain. For example, if you create a group and then add it to the Administrators group of the vCenter
Single Sign-On domain, then all users that you add to that group have administrator permissions for the
domain.
It is also possible to give permissions to vCenter inventory objects to groups in the vCenter Single Sign-
On domain. See the vSphere Security documentation.
Option Description
--name <name> Name of the group in vmdir. Maximum length is 487 characters.
--login <admin_user_id> The administrator of the local vCenter Single Sign-On domain,
[email protected] by default.
--password <admin_password> Password of the administrator user. If you do not specify the
password, you are prompted.
Option Description
--login <admin_user_id> The administrator of the local vCenter Single Sign-On domain,
[email protected] by default.
--password <admin_password> Password of the administrator user. If you do not specify the
password, you are prompted.
Option Description
--login <admin_user_id> The administrator of the local vCenter Single Sign-On domain,
[email protected] by default.
--password <admin_password> Password of the administrator user. If you do not specify the
password, you are prompted.
Option Description
--login <admin_user_id> The administrator of the local vCenter Single Sign-On domain,
[email protected] by default.
--password <admin_password> Password of the administrator user. If you do not specify the
password, you are prompted.
Option Description
--login <admin_user_id> The administrator of the local vCenter Single Sign-On domain,
[email protected] by default.
--password <admin_password> Password of the administrator user. If you do not specify the
password, you are prompted.
Option Description
--outcrl <path> Path to write the CRL file to. Not currently used.
--login <admin_user_id> The administrator of the local vCenter Single Sign-On domain,
[email protected] by default.
--password <admin_password> Password of the administrator user. If you do not specify the
password, you are prompted.
Option Description
--login <admin_user_id> The administrator of the local vCenter Single Sign-On domain,
[email protected] by default.
--password <admin_password> Password of the administrator user. If you do not specify the
password, you are prompted.
Option Description
--login <admin_user_id> The administrator of the local vCenter Single Sign-On domain,
[email protected] by default.
--password <admin_password> Password of the administrator user. If you do not specify the
password, you are prompted.
Option Description
Problem
vCenter Server and Web Client installers show the error Could not contact Lookup Service. Please
check VM_ssoreg.log....
Cause
This problem has several causes, including unsynchronized clocks on the host machines, firewall
blocking, and services that must be started.
Solution
1 Verify that the clocks on the host machines running vCenter Single Sign-On, vCenter Server, and the
Web Client are synchronized.
The log file contains output from all installation attempts. Locate the last message that shows
Initializing registration provider...
java.net.ConnectException: The IP address is incorrect, a firewall is blocking access to vCenter Single Sign-
Connection timed out: connect On, or vCenter Single Sign-On is overloaded.
Ensure that a firewall is not blocking the vCenter Single Sign-On port (by default
7444). Ensure also that the machine on which vCenter Single Sign-On is installed
has adequate free CPU, I/O, and RAM capacity.
java.net.ConnectException: The IP address or FQDN is incorrect and the vCenter Single Sign-On service has
Connection refused: connect not started or has started within the past minute.
Verify that vCenter Single Sign-On is working by checking the status of vCenter
Single Sign-On service (Windows) and vmware-sso daemon (Linux).
Restart the service. If restarting does not correct the problem, see the recovery
section of the vSphere Troubleshooting Guide.
Unexpected status code: 404. SSO Restart vCenter Single Sign-On. If restarting does not correct the problem, see the
Server failed during initialization Recovery section of the vSphere Troubleshooting Guide.
The error shown in the UI begins with You also see the return code SslHandshakeFailed. This error indicates that the
Could not connect to vCenter Single provided IP address or FQDN that resolves to vCenter Single Sign-On host was
Sign-On not the address used when you installed vCenter Single Sign-On.
In %TEMP%\VM_ssoreg.log, find the line that contains the following message.
host name in certificate did not match: <install-configured FQDN or IP> !
= <A> or <B> or <C> where A was the FQDN you entered during the vCenter
Single Sign-On installation, and B and C are system-generated allowable
alternatives.
Correct the configuration to use the FQDN on the right of the != sign in the log file.
In most cases, use the FQDN that you specified during vCenter Single Sign-On
installation.
If none of the alternatives are possible in your network configuration, recover your
vCenter Single Sign-On SSL configuration.
Problem
You add an Active Directory identity source to vCenter Single Sign-On, but users cannot log in to vCenter
Server.
Cause
Users use their user name and password to log in to the default domain. For all other domains, users
must include the domain name (user@domain or DOMAIN\user).
If you are using the vCenter Server Appliance, other problems might exist.
Solution
For all vCenter Single Sign-On deployments, you can change the default identity source. After that
change, users can log in to the default identity source with user name and password only.
To configure your Integrated Windows Authentication identity source with a child domain within your
Active Directory forest, see the VMware knowledge base article at http://kb.vmware.com/kb/2070433. By
default, Integrated Windows Authentication uses the root domain of your Active Directory forest.
If you are using the vCenter Server Appliance, and changing the default identity source does not resolve
the issue, perform the following additional troubleshooting steps.
1 Synchronize the clocks between the vCenter Server Appliance and the Active Directory domain
controllers.
2 Verify that each domain controller has a pointer record (PTR) in the Active Directory domain DNS
service.
Verify that the PTR record information for the domain controller matches the DNS name of the
controller. When using the vCenter Server Appliance, run the following commands to perform the
task:
The relevant addresses are in the answer section, as in the following example:
;; ANSWER SECTION:
_ldap._tcp.my-ad.com. (...) my-controller.my-ad.com
...
b For each domain controller, verify forward and reverse resolution by running the following
command:
# dig my-controller.my-ad.com
The relevant addresses are in the answer section, as in the following example:
;; ANSWER SECTION:
my-controller.my-ad.com (...) IN A controller IP address
...
The relevant addresses are in the answer section, as in the following example:
;; ANSWER SECTION:
IP-in-reverse.in-addr.arpa. (...) IN PTR my-controller.my-ad.com
...
3 If that does not resolve the problem, remove the vCenter Server Appliance from the Active Directory
domain and then rejoin the domain. See the vCenter Server Appliance Configuration documentation.
4 Close all browser sessions connected to the vCenter Server Appliance and restart all services.
Problem
After several failed attempts, you cannot log in to the vSphere Client or vSphere Web Client using
vCenter Single Sign-On. You see the message that your account is locked.
Cause
Solution
u If you attempted log in as a user from the system domain (vsphere.local by default), ask your vCenter
Single Sign-On administrator to unlock your account. If the lock is set to expire in the lockout policy,
you can wait until your account is unlocked. vCenter Single Sign-On administrators can use CLI
commands to unlock your account.
u If you log in as a user from an Active Directory or LDAP domain, ask your Active Directory or LDAP
administrator to unlock your account.
Problem
In certain situations, for example, when your environment includes multiple Platform Services Controller
instances in different locations, and you make significant changes while one Platform Services Controller
is unavailable, you do not see replication across VMware Directory Service instances right away. For
example, you do not see a new user that was added to the available Platform Services Controller
instance in the other instance until replication is complete.
Cause
During normal operation, changes to a VMware Directory Service (vmdir) instance in one Platform
Services Controller instance (node) show up in its direct replication partner within about 60 seconds.
Depending on the replication topology, changes in one node might have to propagate through
intermediate nodes before they arrive at each vmdir instance in each node. Information that is replicated
includes user information, certificate information, license information for virtual machines that are created,
cloned, or migrated with VMware vMotion, and more.
When the replication link is broken, for example, because of a network outage or because a node
becomes unavailable, changes in the federation do not converge. After the unavailable node is restored,
each node tries to catch up with all changes. Eventually, all vmdir instances converge to a consistent
state but it might take a while to reach that consistent state if many changes occurred while one node was
unavailable.
Solution
Your environment functions normally while replication happens. Do not attempt to solve the problem
unless it persists for over an hour.
Prerequisites
Verify that the Platform Services Controller virtual appliance is successfully deployed and running.
Procedure
1 From a Web browser, connect to the Platform Services Controller management interface at https://
platform_services_controller_ip:5480.
4 Unless browser settings prevent an immediate download, the support bundle is saved to your local
machine.
VMware Endpoint Certificate Store (VECS) VECS service log is located in /var/log/vmware/vmafdd/
vmafdd-syslog.log.