Platform Services Controller Administration Update 1 Modified 03 NOV 2017 VMware vSphere 6.5 VMware ESXi 6.5 vCenter Server 6.
Platform Services Controller Administration You can find the most up-to-date technical documentation on the VMware website at: https://docs.vmware.com/ If you have comments about this documentation, submit your feedback to docfeedback@vmware.com VMware, Inc. 3401 Hillview Ave. Palo Alto, CA 94304 www.vmware.com Copyright © 2009–2017 VMware, Inc. All rights reserved. Copyright and trademark information. VMware, Inc.
Contents About Platform Services Controller Administration Updated Information 5 7 1 Getting Started with Platform Services Controller 8 vCenter Server and Platform Services Controller Deployment Types 8 Deployment Topologies with External Platform Services Controller Instances and High Availability Understanding vSphere Domains, Domain Names, and Sites Platform Services Controller Capabilities 12 14 15 Managing Platform Services Controller Services 16 Managing the Platform Services Controller Ap
Platform Services Controller Administration 5 Troubleshooting Platform Services Controller 177 Determining the Cause of a Lookup Service Error 177 Unable to Log In Using Active Directory Domain Authentication 178 vCenter Server Login Fails Because the User Account Is Locked VMware Directory Service Replication Can Take a Long Time VMware, Inc.
About Platform Services Controller Administration ® The Platform Services Controller Administration documentation explains how the VMware Platform Services Controller™ fits into your vSphere environment and helps you perform common tasks such as certificate management and vCenter Single Sign-On configuration. Platform Services Controller Administration explains how you can set up authentication with vCenter Single Sign-On and how to manage certificates for vCenter Server and related services. Table 1.
Platform Services Controller Administration In addition to these documents, VMware publishes a Hardening Guide for each release of vSphere, accessible at http://www.vmware.com/security/hardening-guides.html. The Hardening Guide is a spreadsheet with entries for different potential security issues. It includes items for three different risk profiles. Intended Audience This information is intended for administrators who want to configure Platform Services Controller and associated services.
Updated Information This Platform Services Controller Administration documentation is updated with each release of the product or when necessary. This table provides the update history of Platform Services Controller Administration. Revision 03 NOV 2017 EN-002010-04 VMware, Inc. Description n Clarification in Understanding Stopping and Starting of Services n Include steps for stopping and starting reverse proxy on Windows in Configure the Reverse Proxy to Request Client Certificates. Initial release.
Getting Started with Platform Services Controller 1 The Platform Services Controller provides common infrastructure services to the vSphere environment. Services include licensing, certificate management, and authentication with vCenter Single Sign-On.
Platform Services Controller Administration Table 1‑1. vCenter Server and Platform Services Controller Deployment Types Deployment Type Description vCenter Server with an embedded Platform Services Controller All services that are bundled with the Platform Services Controller are deployed together with the vCenter Server services on the same virtual machine or physical server.
Platform Services Controller Administration You can configure the vCenter Server Appliance with an embedded Platform Services Controller in vCenter High Availability configuration. For information, see vSphere Availability. Note After you deploy or install vCenter Server with an embedded Platform Services Controller, you can reconfigure the deployment type and switch to vCenter Server with an external Platform Services Controller.
Platform Services Controller Administration For information about the Platform Services Controller and vCenter Server maximums, see the Configuration Maximums documentation. For information about configuring the vCenter Server Appliance with an external Platform Services Controller in vCenter High Availability configuration, see vSphere Availability.
Platform Services Controller Administration Deployment Topologies with External Platform Services Controller Instances and High Availability To ensure Platform Services Controller high availability in external deployments, you must install or deploy at least two joined Platform Services Controller instances in your vCenter Single Sign-On domain. When you use a third-party load balancer, you can ensure an automatic failover without downtime. Platform Services Controller with a Load Balancer Figure 1‑5.
Platform Services Controller Administration Platform Services Controller with Load Balancers Across vCenter Single Sign-On Sites Figure 1‑6.
Platform Services Controller Administration When you join two or more Platform Services Controller instances in the same site with no load balancer, you configure Platform Services Controller high availability with a manual failover for this site. Note If your vCenter Single Sign-On domain includes three or more Platform Services Controller instances, you can manually create a ring topology. A ring topology ensures Platform Services Controller reliability when one of the instances fails.
Platform Services Controller Administration The domain name is used by the VMware Directory Service (vmdir) for all Lightweight Directory Access Protocol (LDAP) internal structuring. With vSphere 6.0 and later, you can give your vSphere domain a unique name. To prevent authentication conflicts, use a name that is not used by OpenLDAP, Microsoft Active Directory, and other directory services. Note You cannot change the domain to which a Platform Services Controller or vCenter Server instance belongs.
Platform Services Controller Administration Deployment Models You can install Platform Services Controller on a Windows system or deploy the Platform Services Controller appliance. The deployment model depends on the version of Platform Services Controller that you are using. See vCenter Server and Platform Services Controller Deployment Types. If you install more than one external Platform Services Controller in the same site in vSphere 6.
Platform Services Controller Administration Table 1‑3. Platform Services Controller Services Service Description applmgmt Handles appliance configuration and provides public API endpoints for appliance lifecycle management. Included on the Platform Services Controller appliance.
Platform Services Controller Administration Table 1‑3. Platform Services Controller Services (Continued) Service Description vmcad Provisions each VMware software component that has the vmafd client libraries and each ESXi host with a signed certificate that has VMCA as the root certificate authority. You can change the default certificates by using the Certificate Manager utility or Platform Services Controller Web interface.
Platform Services Controller Administration Manage Platform Services Controller Services From the vSphere Web Client You can manage vCenter Single Sign-On and the Licensing service from the vSphere Web Client. Use the Platform Services Controller Web interface or CLIs instead of the vSphere Web Client to manage the following services.
Platform Services Controller Administration Table 1‑4. CLIs for Managing Certificates and Associated Services CLI Description Links certool Generate and manage certificates and keys. Part of VMCA. certool Initialization Commands Reference vecs-cli Manage the contents of VMware Certificate Store instances. Part of VMAFD. vecs-cli Command Reference dir-cli Create and update certificates in VMware Directory Service. Part of VMAFD.
Platform Services Controller Administration Managing the Platform Services Controller Appliance You can manage the Platform Services Controller appliance from the virtual appliance management interface or from the appliance shell. If you are using an environment with an embedded Platform Services Controller, you manage the one appliance that includes both Platform Services Controller and vCenter Server. See vCenter Server Appliance Configuration. Table 1‑5.
Platform Services Controller Administration Manage the Appliance from the Appliance Shell You can use service management utilities and CLIs from the appliance shell. You can use TTY1 to log in to the console, or can use SSH to connect to the shell. Procedure 1 Enable SSH login if necessary. a Log in to the appliance management interface (VAMI). b In the Navigator, select Access and click Edit. c Click the Enable SSH Login check box and click OK.
vSphere Authentication with vCenter Single Sign-On 2 vCenter Single Sign-On is an authentication broker and security token exchange infrastructure. When a user or a solution user can authenticate to vCenter Single Sign-On, that user receives a SAML token. Going forward, the user can use the SAML token to authenticate to vCenter services. The user can then perform the actions that user has privileges for.
Platform Services Controller Administration Understanding vCenter Single Sign-On To effectively manage vCenter Single Sign-On, you need to understand the underlying architecture and how it affects installation and upgrades. vCenter Single Sign-On 6.0 Domains and Sites (http://link.brightcove.
Platform Services Controller Administration 2 The vSphere Web Client passes the login information to the vCenter Single Sign-On service, which checks the SAML token of the vSphere Web Client. If the vSphere Web Client has a valid token, vCenter Single Sign-On then checks whether the user is in the configured identity source (for example Active Directory). n If only the user name is used, vCenter Single Sign-On checks in the default domain. n If a domain name is included with the user name (DOMAIN\user1
Platform Services Controller Administration 2 The solution user is redirected to vCenter Single Sign-On. If the solution user is new to vCenter Single Sign-On, it has to present a valid certificate. 3 If the certificate is valid, vCenter Single Sign-On assigns a SAML token (bearer token) to the solution user. The token is signed by vCenter Single Sign-On. 4 The solution user is then redirected to vCenter Single Sign-On and can perform tasks based on its permissions.
Platform Services Controller Administration 5.5, this user was administrator@vsphere.local. With vSphere 6.0, you can change the vSphere domain when you install vCenter Server or deploy the vCenter Server Appliance with a new Platform Services Controller. Do not name the domain name with your Microsoft Active Directory or OpenLDAP domain name.
Platform Services Controller Administration vCenter Server instances, you can install an additional Platform Services Controller for better performance. The vCenter Single Sign-On service on each Platform Services Controller synchronizes authentication data with all other instances. The precise number depends on how heavily the vCenter Server instances are being used and on other factors.
Platform Services Controller Administration vCenter Single Sign-On Administrator Users The vCenter Single Sign-On administrative interface is accessible from the vSphere Web Client and from the Platform Services Controller web interface. To configure vCenter Single Sign-On and manage vCenter Single Sign-On users and groups, the user administrator@vsphere.local or a user in the vCenter Single Sign-On Administrators group must log in to the vSphere Web Client.
Platform Services Controller Administration n Users who are in a domain that is not a vCenter Single Sign-On identity source cannot log in to vCenter Server. If the domain that you add to vCenter Single Sign-On is part of a domain hierarchy, Active Directory determines whether users of other domains in the hierarchy are authenticated or not. If your environment includes an Active Directory hierarchy, see VMware Knowledge Base article 2064250 for details on supported and unsupported setups.
Platform Services Controller Administration Table 2‑1. Groups in the vsphere.local Domain (Continued) Privilege Description SystemConfiguration.BashShellAdministr ators This group is available only for vCenter Server Appliance deployments. ActAsUsers Members of Act-As Users are allowed to get Act-As tokens from vCenter Single SignOn. ExternalIPDUsers This internal group is not used by vSphere. VMware vCloud Air requires this group. SystemConfiguration.
Platform Services Controller Administration n Set the Default Domain for vCenter Single Sign-On Each vCenter Single Sign-On identity source is associated with a domain. vCenter Single Sign-On uses the default domain to authenticate a user who logs in without a domain name. Users who belong to a domain that is not the default domain must include the domain name when they log in.
Platform Services Controller Administration Types of Identity Sources vCenter Server versions earlier than version 5.1 supported Active Directory and local operating system users as user repositories. As a result, local operating system users were always able to authenticate to the vCenter Server system. vCenter Server version 5.1 and version 5.5 uses vCenter Single Sign-On for authentication. See the vSphere 5.1 documentation for a list of supported identity sources with vCenter Single Sign-On 5.1.
Platform Services Controller Administration Set the Default Domain for vCenter Single Sign-On Each vCenter Single Sign-On identity source is associated with a domain. vCenter Single Sign-On uses the default domain to authenticate a user who logs in without a domain name. Users who belong to a domain that is not the default domain must include the domain name when they log in.
Platform Services Controller Administration Add a vCenter Single Sign-On Identity Source Users can log in to vCenter Server only if they are in a domain that has been added as a vCenter Single Sign-On identity source. vCenter Single Sign-On administrator users can add identity sources from the vSphere Web Client or the Platform Services Controller interface. An identity source can be a native Active Directory (Integrated Windows Authentication) domain or an OpenLDAP directory service.
Platform Services Controller Administration 5 Select the identity source type and enter the identity source settings. Option Description Active Directory (Integrated Windows Authentication) Use this option for native Active Directory implementations. The machine on which the vCenter Single Sign-On service is running must be in an Active Directory domain if you want to use this option. See Active Directory Identity Source Settings.
Platform Services Controller Administration n For a vCenter Server Appliance, follow the instructions in the vCenter Server Appliance Configuration documentation. Note Active Directory (Integrated Windows Authentication) always uses the root of the Active Directory domain forest. To configure your Integrated Windows Authentication identity source with a child domain within your Active Directory forest, see VMware Knowledge Base article 2070433. Select Use machine account to speed up configuration.
Platform Services Controller Administration Table 2‑3. Active Directory as an LDAP Server and OpenLDAP Settings Option Description Name Name of the identity source. Base DN for users Base Distinguished Name for users. Domain name FDQN of the domain, for example, example.com. Do not provide an IP address in this text box. Domain alias For Active Directory identity sources, the domain's NetBIOS name.
Platform Services Controller Administration 2 Specify the user name and password for administrator@vsphere.local or another member of the vCenter Single Sign-On Administrators group. If you specified a different domain during installation, log in as administrator@mydomain. 3 Navigate to the vCenter Single Sign-On configuration UI. Option Description vSphere Web Client a From the Home menu, select Administration. b Under Single Sign-On, click Configuration.
Platform Services Controller Administration Remove a vCenter Single Sign-On Identity Source You can remove an identity source from the list of registered identity sources. When you do, users from that identity source can no longer authenticate to vCenter Single Sign-On. Procedure 1 From a Web browser, connect to the vSphere Web Client or the Platform Services Controller.
Platform Services Controller Administration Procedure 1 Navigate to the vSphere Web Client login page. 2 Select the Use Windows session authentication check box. 3 Log in using the Active Directory user name and password. n If the Active Directory domain is the default identity source, log in with your user name, for example jlee. n Otherwise, include the domain name, for example, jlee@example.com.
Platform Services Controller Administration Specifying a Nondefault Authentication Method Administrators can set up a nondefault authentication method from the Platform Services Controller Web interface, or by using the sso-config script. n For smart card authentication, you can perform the vCenter Single Sign-On setup from the Platform Services Controller Web interface or by using sso-config. Setup includes enabling smart card authentication and configuring certificate revocation policies.
Platform Services Controller Administration 4 If the certificate is known, and is not a revoked certificate, the user is authenticated and can then perform tasks that the user has permissions for. Note It usually makes sense to leave user name and password authentication enabled during testing. After testing is complete, disable user name and password authentication and enable smart card authentication. Subsequently, the vSphere Web Client allows only smart card login.
Platform Services Controller Administration 2 Create a trusted client CA store. This store will contain the trusted issuing CA's certificates for client certificate. The client here is the browser from which the smart card process prompts the end user for information. The following example shows how you create a certificate store on the Platform Services Controller appliance. For a single certificate: cd /usr/lib/vmware-sso/ openssl x509 -inform PEM -in xyzCompanySmartCardSigningCA.
Platform Services Controller Administration 5 Restart the service. OS Description Appliance Windows /usr/lib/vmware-vmon/vmon-cli --restart rhttpproxy Restart the operating system, or restart the VMware HTTP Reverse Proxy from the Service Manager or by following these steps: a Open an elevated command prompt. b Run the following commands: cd C:\Program Files\VMware\vCenter Server\bin --stop vmware-rhttpproxy service-control --start vmware-rhttpproxy Use the Command Line to Manage Smart Card Authen
Platform Services Controller Administration If you use OCSP for revocation check, you can rely on the default OCSP specified in the smart card certificate AIA extension. You can also override the default and configure one or more alternative OCSP responders. For example, you can set up OCSP responders that are local to the vCenter Single Sign-On site to process the revocation check request. Note If your certificate does not have OCSP defined, enable CRL (certificate revocation list) instead.
Platform Services Controller Administration Procedure 1 Obtain the certificates and copy them to a folder that the sso-config utility can see. Option Description Windows Log in to the Platform Services Controller Windows installation and use WinSCP or a similar utility to copy the files. Appliance a Log in to the appliance console, either directly or by using SSH. b Enable the appliance shell, as follows.
Platform Services Controller Administration 5 (Optional) Turn on and configure revocation checking using OCSP. a Turn on revocation checking using OCSP. sso-config.[bat|sh] b -set_authn_policy -t tenantName -useOcsp true If the OCSP responder link is not provided by the AIA extension of the certificates, provide the overriding OCSP responder URL and OCSP authority certificate. The alternative OCSP is configured for each vCenter Single Sign-On site.
Platform Services Controller Administration Use the Platform Services Controller Web Interface to Manage Smart Card Authentication You can enable and disable smart card authentication, customize the login banner, and set up the revocation policy from the Platform Services Controller Web interface. If smart card authentication is enabled and other authentication methods are disabled, users are then required to log in using smart card authentication.
Platform Services Controller Administration n Assign the vCenter Server Administrator role to one or more users in the Active Directory identity source. Those users can then perform management tasks because they can authenticate and they have vCenter Server administrator privileges. Note The administrator of the vCenter Single Sign-On domain, administrator@vsphere.local by default, cannot perform smart card authentication. n Set up the reverse proxy and restart the physical or virtual machine.
Platform Services Controller Administration 5 Click Smart Card Configuration, and select the Trusted CA certificates tab. 6 To add one or more trusted certificates, click Add Certificate, click Browse, select all certificates from trusted CAs, and click OK. 7 To specify the authentication configuration, click Edit next to Authentication Configuration and select or deselect authentication methods. You cannot enable or disable RSA SecurID authentication from this Web interface.
Platform Services Controller Administration n If revocation checking is enabled, advanced users can specify the following additional settings. OSCP URL By default, vCenter Single Sign-On checks the location of the OCSP responder that is defined in the certificate being validated. You can explicitly specify a location if the Authority Information Access extension is absent from the certificate or if you want to override it.
Platform Services Controller Administration Procedure 1 From a Web browser, connect to the vSphere Web Client or the Platform Services Controller. Option Description vSphere Web Client https://vc_hostname_or_IP/vsphere-client Platform Services Controller https://psc_hostname_or_IP/psc In an embedded deployment, the Platform Services Controller host name or IP address is the same as the vCenter Server host name or IP address. 2 Specify the user name and password for administrator@vsphere.
Platform Services Controller Administration n n Verify that the RSA Authentication Manager system can resolve the Platform Services Controller host name, and that the Platform Services Controller system can resolve the RSA Authentication Manager host name. Export the sdconf.rec file from the RSA Manager by selecting Access > Authentication Agents > Generate configuration file. Decompress the resulting AM_Config.zip file to find the sdconf.rec file. n Copy the sdconf.
Platform Services Controller Administration 5 (Optional) To change the tenant configuration to nondefault values, run the following command. sso-config.[sh|bat] -set_rsa_config [-t tenantName] [-logLevel Level] [-logFileSize Size] [maxLogFileCount Count] [-connTimeOut Seconds] [-readTimeOut Seconds] [-encAlgList Alg1,Alg2,...] The default is usually appropriate, for example: sso-config.sh -set_rsa_config -t vsphere.
Platform Services Controller Administration 2 Specify the user name and password for administrator@vsphere.local or another member of the vCenter Single Sign-On Administrators group. If you specified a different domain during installation, log in as administrator@mydomain. 3 Click Single Sign-On, click Configuration, and click the Login Banner tab. 4 Click Edit and configure the login banner. Option Description Status Click the Enabled check box to enable the login banner.
Platform Services Controller Administration You can use the vSphere Web Client interface to vCenter Single Sign-On to export the IDP metadata, and to import the metadate from the SP. If you are using vRealize Automation as the SP, see the vRealize Automation documentation for details on exporting the SP metadata and importing the IDP metadata. Note The service must fully support the SAML 2.0 standard or integration does not work.
Platform Services Controller Administration 5 Log in to the SAML SP, for example VMware vRealize Automation 7.0, and follow the SP instructions to add the vCenter Single Sign-On metadata to that service provider. See the vRealize Automation documentation for details on importing the metadata into that product. Security Token Service STS The vCenter Single Sign-On Security Token Service (STS) is a Web service that issues, validates, and renews security tokens.
Platform Services Controller Administration You can replace the existing STS signing certificate vSphere Web Client if your company policy requires it, or if you want to update an expired certificate. Caution Do not replace the file in the filesystem. If you do, errors that are unexpected and difficult to debug result. Note After you replace the certificate, you must restart the node to restart both the vSphere Web Client service and the STS service.
Platform Services Controller Administration Generate a New STS Signing Certificate on the Appliance If you want to replace the default vCenter Single Sign-On Security Token Service (STS) signing certificate, you have to generate a new certificate and add it to the Java key store. This procedure explains the steps on an embedded deployment appliance or an external Platform Services Controller appliance. Note This certificate is valid for ten years and is not an external-facing certificate.
Platform Services Controller Administration 4 Generate the key. /usr/lib/vmware-vmca/bin/certool --server localhost --genkey --privkey=/root/newsts/sts.key -pubkey=/root/newsts/sts.pub 5 Generate the certificate /usr/lib/vmware-vmca/bin/certool --gencert --cert=/root/newsts/newsts.cer -privkey=/root/newsts/sts.key --config=/root/newsts/certool.cfg 6 Convert the certificate to PK12 format. openssl pkcs12 -export -in /root/newsts/newsts.cer -inkey /root/newsts/sts.
Platform Services Controller Administration 2 Make a copy of the certool.cfg file and place it in the new directory. copy "C:\Program Files\VMware\vCenter Server\vmcad\certool.cfg" . 3 Open your copy of the certool.cfg file and edit it to use the local Platform Services Controller IP address and hostname. The country is required and has to be two characters. The following sample illustrates this.
Platform Services Controller Administration Determine the Expiration Date of an LDAPS SSL Certificate If you select an LDAP identity source, and you decide to use LDAPS, you can upload an SSL certificate for the LDAP traffic. SSL certificates expire after a predefined lifespan. Knowing when a certificate expires lets you replace or renew the certificate before the expiration date.
Platform Services Controller Administration Managing vCenter Single Sign-On Policies vCenter Single Sign-On policies enforce the security rules in your environment. You can view and edit the default vCenter Single Sign-On password policy, lockout policy, and token policy. Edit the vCenter Single Sign-On Password Policy The vCenter Single Sign-On password policy governs the format and expiration of vCenter Single SignOn user passwords.
Platform Services Controller Administration 6 Edit the password policy parameters. Option Description Description Password policy description. Maximum lifetime Maximum number of days that a password is valid before the user must change it. Restrict reuse Number of previous passwords that cannot be reused. For example, if you type 6, the user cannot reuse any of the last six passwords. Maximum length Maximum number of characters that are allowed in the password.
Platform Services Controller Administration Procedure 1 From a Web browser, connect to the vSphere Web Client or the Platform Services Controller. Option Description vSphere Web Client https://vc_hostname_or_IP/vsphere-client Platform Services Controller https://psc_hostname_or_IP/psc In an embedded deployment, the Platform Services Controller host name or IP address is the same as the vCenter Server host name or IP address. 2 Specify the user name and password for administrator@vsphere.
Platform Services Controller Administration Edit the vCenter Single Sign-On Token Policy The vCenter Single Sign-On token policy specifies token properties such as the clock tolerance and renewal count. You can edit the token policy to ensure that the token specification conforms to security standards in your corporation. Procedure 1 From a Web browser, connect to the vSphere Web Client or the Platform Services Controller.
Platform Services Controller Administration Option Description Maximum bearer token lifetime Bearer tokens provide authentication based only on possession of the token. Bearer tokens are intended for short-term, single-operation use. A bearer token does not verify the identity of the user or entity that is sending the request. This value specifies the lifetime value of a bearer token before the token has to be reissued.
Platform Services Controller Administration n Add Members to a vCenter Single Sign-On Group Members of a vCenter Single Sign-On group can be users or other groups from one or more identity sources. You can add new members from the vSphere Web Client. n Remove Members From a vCenter Single Sign-On Group You can remove members from a vCenter Single Sign-On group by using the vSphere Web Client or the Platform Services Controller Web interface.
Platform Services Controller Administration 3 Navigate to the vCenter Single Sign-On user configuration UI. Option Description vSphere Web Client a From the Home menu, select Administration. b Under Single Sign-On, click Users and Groups. Platform Services Controller 4 Click Single Sign-On and click Users and Groups. If vsphere.local is not the currently selected domain, select it from the dropdown menu. You cannot add users to other domains. 5 On the Users tab, click the New User icon.
Platform Services Controller Administration Procedure 1 From a Web browser, connect to the vSphere Web Client or the Platform Services Controller. Option Description vSphere Web Client https://vc_hostname_or_IP/vsphere-client Platform Services Controller https://psc_hostname_or_IP/psc In an embedded deployment, the Platform Services Controller host name or IP address is the same as the vCenter Server host name or IP address. 2 Specify the user name and password for administrator@vsphere.
Platform Services Controller Administration 3 Navigate to the vCenter Single Sign-On user configuration UI. Option Description vSphere Web Client a From the Home menu, select Administration. b Under Single Sign-On, click Users and Groups. Platform Services Controller Click Single Sign-On and click Users and Groups. 4 Select the Users tab, and select the vsphere.local domain. 5 In the list of users, select the user that you want to delete and click the Delete icon. Proceed with caution.
Platform Services Controller Administration 5 Right-click the user and select Edit User. 6 Edit the user attributes. You cannot change the user name of the user. The password must meet the password policy requirements for the system. 7 Click OK. Add a vCenter Single Sign-On Group The vCenter Single Sign-On Groups tab shows groups in the local domain, vsphere.local by default. You add groups if you need a container for group members (principals).
Platform Services Controller Administration Add Members to a vCenter Single Sign-On Group Members of a vCenter Single Sign-On group can be users or other groups from one or more identity sources. You can add new members from the vSphere Web Client. See VMware Knowledge Base article 2095342 for some background information. Groups listed on the Groups tab in the Web interface are part of the vsphere.local domain. See Groups in the vCenter Single Sign-On Domain.
Platform Services Controller Administration Remove Members From a vCenter Single Sign-On Group You can remove members from a vCenter Single Sign-On group by using the vSphere Web Client or the Platform Services Controller Web interface. When you remove a member (user or group) from a group, you do not delete the member from the system. Procedure 1 From a Web browser, connect to the vSphere Web Client or the Platform Services Controller.
Platform Services Controller Administration Delete vCenter Single Sign-On Solution Users vCenter Single Sign-On displays solution users. A solution user is a collection of services. Several vCenter Server solution users are predefined and authenticate to vCenter Single Sign-On as part of installation. In troubleshooting situations, for example, if an uninstall did not complete cleanly, you can delete individual solution users from the vSphere Web Client.
Platform Services Controller Administration Change Your vCenter Single Sign-On Password Users in the local domain, vsphere.local by default, can change their vCenter Single Sign-On passwords from a Web interface. Users in other domains change their passwords following the rules for that domain. The vCenter Single Sign-On lockout policy determines when your password expires.
Platform Services Controller Administration vCenter Single Sign-On Security Best Practices Follow vCenter Single Sign-On security best practices to protect your vSphere environment. The vSphere 6.0 authentication and certificate infrastructure enhances security in your vSphere environment. To make sure that infrastructure is not compromised, follow vCenter Single Sign-On Best Practices. Check password expiration The default vCenter Single Sign-On password policy has a password lifetime of 90 days.
vSphere Security Certificates 3 vCenter services use SSL to communicate securely with each other and with ESXi. SSL communications ensure data confidentiality and integrity. Data is protected and cannot be modified in transit without detection. vCenter Server services such as the vSphere Web Client also use certificates for initial authentication to vCenter Single Sign-On. vCenter Single Sign-On provisions each set of services (solution user) with a SAML token that the solution user can authenticate with.
Platform Services Controller Administration Certificate Requirements for Different Solution Paths Certificate requirements depend on whether you use VMCA as an intermediate CA or you use custom certificates. Requirements are also different for machine certificates and for solution user certificates. Before you begin, ensure that all nodes in your environment are time synchronized. Requirements for All Imported Certificates n Key size: 2048 bits or more (PEM encoded) n PEM format.
Platform Services Controller Administration If you generate CSRs using Certificate Manager, you are prompted for the following information, and Certificate Manager adds the corresponding fields to the CSR file. n The password of the administrator@vsphere.local user, or for the administrator of the vCenter Single Sign-On domain that you are connecting to.
Platform Services Controller Administration Certificate Type Certificate Requirements Root certificate n You can use vSphere Certificate Manager to create the CSR. See Generate CSR with vSphere Certificate Manager and Prepare Root Certificate (Intermediate CA) n If you prefer to create the CSR manually, the certificate that you send to be signed must meet the following requirements. n Key size: 2048 bits or more n PEM format. VMware supports PKCS8 and PKCS1 (RSA keys).
Platform Services Controller Administration Certificate Type Certificate Requirements Machine SSL certificate The machine SSL certificate on each node must have a separate certificate from your third-party or enterprise CA. n You can generate the CSRs using vSphere Certificate Manager or create the CSR manually. The CSR must meet the requirements listed under Requirements for All Imported Certificates above.
Platform Services Controller Administration Certificate Management Overview The work required for setting up or updating your certificate infrastructure depends on the requirements in your environment, on whether you are performing a fresh install or an upgrade, and on whether you are considering ESXi or vCenter Server. Administrators Who Do Not Replace VMware Certificates VMCA can handle all certificate management.
Platform Services Controller Administration This scenario retains the existing vCenter Server and vCenter Single Sign-On certificates. The certificates are used as machine SSL certificates. In addition, VMCA assigns a VMCA-signed certificate to each solution user (collection of vCenter services). The solution user uses this certificate only to authenticate to vCenter Single Sign-On. Replacing solution user certificates is often not required by company policy. You can no longer use the vSphere 5.
Platform Services Controller Administration Certificate Replacement Overview You can perform different types of certificate replacement depending on company policy and requirements for the system that you are configuring. You can perform certificate replacement from the Platform Services Controller, by using the vSphere Certificate Manager utility or manually by using the CLIs included with your installation. You can replace the default certificates.
Platform Services Controller Administration Figure 3‑2. Certificates Signed by a Third-Party or Enterprise CA Use VMCA as an Intermediate CA VMware vSphere VMCA Signed Root CA-Cert Signed Enterprise CA-Cert Signed CA-Cert Machine-Cert VECS Do Not Use VMCA, Provision with Custom Certificates You can replace the existing VMCA-signed certificates with custom certificates. If you use that approach, you are responsible for all certificate provisioning and monitoring. Figure 3‑3.
Platform Services Controller Administration Company policy often does not allow intermediate CAs. For those cases, hybrid deployment is a good solution. It minimizes the number of certificates to replace, and secures all traffic. The hybrid deployment leaves only internal traffic, that is, solution user traffic, to use the default VMCA-signed certificates ESXi Certificate Replacement For ESXi hosts, you can change certificate provisioning behavior from the vSphere Web Client.
Platform Services Controller Administration Machine SSL Certificates The machine SSL certificate for each node is used to create an SSL socket on the server side. SSL clients connect to the SSL socket. The certificate is used for server verification and for secure communication such as HTTPS or LDAPS. Each node has its own machine SSL certificate. Nodes include vCenter Server instance, Platform Services Controller instance, or embedded deployment instance.
Platform Services Controller Administration n vsphere-webclient: vSphere Web Client store. Also includes some additional services such as the performance chart service. Each Platform Services Controller node includes a machine certificate. Internal Certificates vCenter Single Sign-On certificates are not stored in VECS and are not managed with certificate management tools. As a rule, changes are not necessary, but in special situations, you can replace these certificates.
Platform Services Controller Administration Table 3‑5. Core Identity Services Service Description Included in VMware Directory Service (vmdir) Handles SAML certificate management for authentication in conjunction with vCenter Single Sign-On. Platform Services Controller Issues certificates for VMware solution users, machine certificates for machines on which services are running, and ESXi host certificates. VMCA can be used as is, or as an intermediary certificate authority.
Platform Services Controller Administration Table 3‑6. Stores in VECS (Continued) Store Description Solution user stores VECS includes one store for each solution user. The subject of each solution user certificate must be unique, for example, the machine certificate cannot have the same subject as the vpxd certificate. n machine n vpxd n vpxd-extensions n vsphere-webclient Solution user certificates are used for authentication with vCenter Single Sign-On.
Platform Services Controller Administration Some certificates are stored on the filesystem, either temporarily during startup or permanently. Do not change the certificates on the file system. Use vecs-cli to perform operations on certificates that are stored in VECS. Note Do not change any certificate files on disk unless instructed by VMware documentation or Knowledge Base Articles. Unpredictable behavior might result otherwise.
Platform Services Controller Administration Replacement of Machine SSL Certificates in Environments with Multiple Management Nodes If your environment includes multiple management nodes and a single Platform Services Controller, you can replace certificates with the vSphere Certificate Manager utility, or manually with vSphere CLI commands. vSphere Certificate Manager You run vSphere Certificate Manager on each machine.
Platform Services Controller Administration n 2 A certificate for each of the following solution users on each management node: n vpxd solution user n vpxd-extension solution user n vsphere-webclient solution user Replace the certificates on each node. The precise process depends on the type of certificate replacement that you are performing.
Platform Services Controller Administration Supported Workflows After you install a Platform Services Controller, the VMware Certificate Authority on that node provisions all other nodes in the environment with certificates by default. You can use one of the following workflows to renew or replace certificates. Renew Certificates You can have VMCA generate a new root certificate and renew all certificates in your environment from the Platform Services Controller web interface.
Platform Services Controller Administration 2 Specify the user name and password for administrator@vsphere.local or another member of the vCenter Single Sign-On Administrators group. If you specified a different domain during installation, log in as administrator@mydomain. 3 Under Certificates, click Certificate Store and explore the store. 4 Select the store inside the VMware Endpoint Certificate Store (VECS) that you want to explore from the pulldown menu.
Platform Services Controller Administration 4 5 Renew the machine SSL certificate for the local system. a Click the Machine Certificates tab. b Select the certificate, click Renew, and answer Yes to the prompt. (Optional) Renew the solution user certificates for the local system. a Click the Solution User Certificates tab. b Select a certificate and click Renew to renew individual selected certificates, or click Renew All to renew all solution user certificates. c 6 Answer Yes at the prompt.
Platform Services Controller Administration Make VMCA an Intermediate Certificate Authority from the Platform Services Controller Web Interface You can have the VMCA certificate signed by another CA so that VMCA becomes an intermediate CA. Going forward, all certificates that VMCA generates include the full chain. You can perform this setup by using the vSphere Certificate Manager utility, by using CLIs, or from the Platform Services Controller Web interface. Prerequisites 1 Generate the CSR.
Platform Services Controller Administration 5 (Optional) Renew the solution user certificates for the local system. a Click the Solution User Certificates tab. b Select a certificate and click Renew to renew individual selected certificates, or click Renew All to replace all certificates and answer Yes to the prompt. VMCA replaces the solution user certificate or all solution user certificates with certificates that are signed by the new CA.
Platform Services Controller Administration Set up Your System to Use Custom Certificates from the Platform Services Controller You can use the Platform Services Controller to set up your environment to use custom certificates. You can generate Certificate Signing Requests (CSRs) for each machine and for each solution user using the Certificate Manager utility. When you submit the CSRs to your internal or third-party CA, the CA returns signed certificates and the root certificate.
Platform Services Controller Administration 5 Select option 5. 6 Supply the password and the Platform Services Controller IP address or host name if prompted. 7 Select option 1 to generate the CSRs, answer the prompts and exit Certificate Manager. As part of the process, you have to provide a directory. Certificate Manager places the certificate and key files in the directory. On each Platform Services Controller node, Certificate Manager generates one certificate and key pair.
Platform Services Controller Administration Add Custom Certificates from the Platform Services Controller You can add custom Machine SSL certificates and custom solution user certificates to the certificate store from the Platform Services Controller. In most cases, replacing the machine SSL certificate for each component is sufficient. The solution user certificate remains behind a proxy. Prerequisites Generate certificate signing requests (CSRs) for each certificate that you want to replace.
Platform Services Controller Administration What to do next Restart services on the Platform Services Controller. You can either restart the Platform Services Controller, or run the following commands from the command line: Windows On Windows, the service-control command is located at VCENTER_INSTALL_PATH\bin.
Platform Services Controller Administration 5 6 Click the certificate type for which you want to view certificate information. Option Description Active Certificates Displays active certificates, including their validation information. The green Valid To icon changes when certificate expiration is approaching. Revoked Certificates Displays the list of revoked certificates. Not supported in this release. Expired Certificates Lists expired certificates.
Platform Services Controller Administration Certificate Manager Utility Location You can run the tool on the command line as follows: Windows Linux 1 C:\Program Files\VMware\vCenter Server\vmcad\certificate-manager.bat /usr/lib/vmware-vmca/bin/certificate-manager Certificate Manager Options and the Workflows in This Document You run Certificate Manager options in sequence to complete a workflow. Several options, for example, generating CSRs, are used in different workflows.
Platform Services Controller Administration Certificate Manager Options and the Workflows in This Document You run Certificate Manager options in sequence to complete a workflow. Several options, for example, generating CSRs, are used in different workflows. Replace VMCA Root Certificate with Custom Signing Certificate and Replace All Certificates. This is a single-option workflow (Option 2) can be used by itself, or in the intermediate certificate workflow.
Platform Services Controller Administration 3 If you also want to replace the solution user certificates, you select Option 5. 4 Finally, in a multi-node deployment, you have to repeat the process on each node. See Replace All Certificates with Custom Certificate (Certificate Manager).
Platform Services Controller Administration 2 Select option 4. 3 Respond to the prompts. Certificate Manager generates a new VMCA root certificate based on your input and replaces all certificates on the system where you are running Certificate Manager. If you use an embedded deployment, the replacement process is complete after Certificate Manager has restarted the services.
Platform Services Controller Administration Make VMCA an Intermediate Certificate Authority (Certificate Manager) You can make VMCA an Intermediate CA by following the prompts from Certificate Manager utility. After you complete the process, VMCA signs all new certificates with the full chain. If you want, you can use Certificate Manager to replace all existing certificates with new VMCA-signed certificates. To make VMCA an intermediate CA, you have to run Certificate Manager several times.
Platform Services Controller Administration 4 Replace Solution User Certificates with VMCA Certificates (Intermediate CA) In a multi-node environment that uses VMCA as an intermediate CA, you can replace the solution user certificates explicitly. First you replace the VMCA root certificate on the Platform Services Controller node, and then you can replace the certificates on the vCenter Server nodes to have the certificates signed by the full chain.
Platform Services Controller Administration Procedure 1 Start vSphere Certificate Manager and select Option 2. Initially, you use this option to generate the CSR, not to replace certificates. 2 Supply the password and the Platform Services Controller IP address or host name if prompted. 3 Select Option 1 to generate the CSR and answer the prompts. As part of the process, you have to provide a directory. Certificate Manager places the certificate to be signed (*.
Platform Services Controller Administration n Gather the information that you will need. n Password for administrator@vsphere.local. n Valid custom certificate for Root (.crt file). n Valid custom key for Root (.key file). Procedure 1 Start vSphere Certificate Manager on an embedded installation or on an external Platform Services Controller and select option 2. 2 Select option 2 again to start certificate replacement and respond to the prompts.
Platform Services Controller Administration n Company name n Organization name n Organization unit n State n Locality n IP address (optional) n Email n Host name, that is, the fully qualified domain name of the machine for which you want to replace the certificate. If the host name does not match the FQDN, certificate replacement does not complete correctly and your environment might end up in an unstable state.
Platform Services Controller Administration n You must know the following information to run Certificate Manager with this option. n Password for administrator@vsphere.local. n Host name or IP address of the Platform Services Controller if you are running on a vCenter Server system with an external Platform Services Controller. Procedure 1 Start vSphere Certificate Manager and select option 6. 2 Respond to the prompts. vSphere Certificate Manager replaces all solution user certificates.
Platform Services Controller Administration 2 Replace Machine SSL Certificate with Custom Certificate The machine SSL certificate is used by the reverse proxy service on every management node, Platform Services Controller, and embedded deployment. Each machine must have a machine SSL certificate for secure communication with other services. You can replace the certificate on each node with a custom certificate.
Platform Services Controller Administration 3 Select option 1 to generate the CSR, answer the prompts and exit Certificate Manager. As part of the process, you have to provide a directory. Certificate Manager places the certificate and key files in the directory. 4 If you also want to replace all solution user certificates, restart Certificate Manager. 5 Select option 5. 6 Supply the password and the Platform Services Controller IP address or host name if prompted.
Platform Services Controller Administration Procedure 1 Start vSphere Certificate Manager and select option 1. 2 Select option 2 to start certificate replacement and respond to the prompts. vSphere Certificate Manager prompts you for the following information: n Password for administrator@vsphere.local. n Valid Machine SSL custom certificate (.crt file). n Valid Machine SSL custom key (.key file). n Valid signing certificate for the custom machine SSL certificate (.crt file).
Platform Services Controller Administration 2 Request a certificate for each solution user on each node from your third-party or enterprise CA. You can generate the CSR using vSphere Certificate Manager or prepare it yourself. The CSR must meet the following requirements: n Key size: 2048 bits or more (PEM encoded) n CRT format n x509 version 3 n SubjectAltName must contain DNS Name= n Each solution user certificate must have a different Subject.
Platform Services Controller Administration Reset All Certificates Use the Reset All Certificates option if you want to replace all existing vCenter certificates with certificates that are signed by VMCA. When you use this option, you overwrite all custom certificates that are currently in VECS. n On a Platform Services Controller node, vSphere Certificate Manager can regenerate the root certificate and replace the machine SSL certificate and the machine solution user certificate.
Platform Services Controller Administration n Stop services right before you perform these tasks: n Delete a machine SSL certificate or any solution user certificate in VECS. n Replace a solution user certificate in vmdir (VMware Directory Service).
Platform Services Controller Administration Procedure 1 Generate a new self-signed certificate and private key. certool --genselfcacert --outprivkey --outcert --config 2 Replace the existing root certificate with the new certificate. certool --rootca --cert --privkey The command generates the certificate, adds it to vmdir, and adds it to VECS.
Platform Services Controller Administration n On a management node (external installation): C:\>"C:\Program Files\VMware\vCenter Server\vmcad\"certool --getrootca --server= The output looks similar to this: output: Certificate: Data: Version: 3 (0x2) Serial Number: cf:2d:ff:49:88:50:e5:af ... 2 (Optional) List the VECS TRUSTED_ROOTS store and compare the certificate serial number there with the output from Step 1.
Platform Services Controller Administration Replace Machine SSL Certificates with VMCA-Signed Certificates After you generate a new VMCA-signed root certificate, you can replace all machine SSL certificates in your environment. Each machine must have a machine SSL certificate for secure communication with other services. In a multi-node deployment, you must run the Machine SSL certificate generation commands on each node.
Platform Services Controller Administration 4 Stop all services and start the services that handle certificate creation, propagation, and storage. The service names differ on Windows and the vCenter Server Appliance.
Platform Services Controller Administration 3 Generate the new machine SSL certificate. This certificate is signed by VMCA. If you replaced the VMCA root certificate with custom certificate, VMCA signs all certificates with the full chain. n On a Platform Services Controller node or embedded installation: C:\>"C:\Program Files\VMware\vCenter Server\vmcad\"certool --gencert --cert=new-vmca-ssl.crt -privkey=ssl-key.priv --config=ssl-config.cfg n On a vCenter Server (external installation): C:\>"C:\Progra
Platform Services Controller Administration n On each management node or embedded deployment, run the following command to update the Machine SSL certificate in the MACHINE_SSL_CERT store. You must update the certificate for each machine separately because each has a different FQDN. C:\>"C:\Program Files\VMware\vCenter Server\vmafdd\"vecs-cli entry delete --store MACHINE_SSL_CERT --alias __MACHINE_CERT C:\>"C:\Program Files\VMware\vCenter Server\vmafdd\"vecs-cli entry create --store MACHINE_SSL_CERT --ali
Platform Services Controller Administration 2 Generate a public/private key file pair and a certificate for each solution user, passing in the configuration file that you just customized. For example: certool --genkey --privkey=vpxd.priv --pubkey=vpxd.pub certool --gencert --privkey=vpxd.priv --cert vpxd.crt --Name=VPXD_1 --config sol_usr.cfg 3 Find the name for each solution user. dir-cli service list You can use the unique ID that is returned when you replace the certificates.
Platform Services Controller Administration 5 For each solution user, replace the existing certificate in vmdir and then in VECS. The following example shows how to replace the certificates for the vpxd service. dir-cli service update --name --cert ./vpxd.crt vecs-cli entry delete --store vpxd --alias vpxd vecs-cli entry create --store vpxd --alias vpxd --cert vpxd.crt --key vpxd.
Platform Services Controller Administration 2 Generate solution user certificates that are signed by the new VMCA root certificate for the machine solution user on each Platform Services Controller and each management node and for each additional solution user (vpxd, vpxd-extension, vsphere-webclient) on each management node. Note The --Name parameter has to be unique. Including the name of the solution user store name makes it easy to see which certificate maps to which solution user.
Platform Services Controller Administration b Replace the machine solution user certificate on each management node: C:\>"C:\Program Files\VMware\vCenter Server\vmafdd\"vecs-cli entry delete --store machine -alias machine C:\>"C:\Program Files\VMware\vCenter Server\vmafdd\"vecs-cli entry create --store machine -alias machine --cert new-machine-vc.crt --key machine-vc-key.priv c Replace the vpxd solution user certificate on each management node. C:\>"C:\Program Files\VMware\vCenter Server\vmafdd\"vecs-cl
Platform Services Controller Administration b Replace the machine certificate in vmdir on the Platform Services Controller. For example, if machine-29a45d00-60a7-11e4-96ff-00505689639a is the machine solution user on the Platform Services Controller, run this command: C:\>"C:\Program Files\VMware\vCenter Server\vmafdd\"dir-cli service update --name machine-29a45d00-60a7-11e4-96ff-00505689639a --cert new-machine-1.crt c Replace the machine certificate in vmdir on each management node.
Platform Services Controller Administration These steps are not required for a mixed mode environment that includes vSphere 6.0 and vSphere 6.5 nodes. These steps are required only if: n Your environment includes both vCenter Single Sign-On 5.5 and vCenter Single Sign-On 6.x services. n The vCenter Single Sign-On services are set up to replicate vmdir data. n You plan to replace the default VMCA-signed certificates with custom certificates for the node on which the vCenter Single Sign-On 6.
Platform Services Controller Administration 4 Replace the VMware Directory Service Certificate in Mixed Mode Environments During upgrade, your environment might temporarily include both vCenter Single Sign-On version 5.5 and vCenter Single Sign-On version 6.x. For that case, you have to perform additional steps to replace the VMware Directory Service SSL certificate if you replace the SSL certificate of the node on which the vCenter Single Sign-On service is running.
Platform Services Controller Administration 2 Prepare a certificate file that includes the signed VMCA certificate along with the full CA chain of your third-party CA or enterprise CA. Save the file, for example as rootca1.crt. You can accomplish this by copying all CA certificates in PEM format into a single file. You start with the VMCA root certificate and end up with the root CA PEM certificate.
Platform Services Controller Administration 6 (Optional) If necessary, you can force a refresh of VECS. vecs-cli force-refresh 7 Restart all services. service-control --start --all Example: Replacing the Root Certificate Replace the VMCA root certificate with the custom CA root certificate using the certool command with the --rootca option. C:\>"C:\Program Files\VMware\vCenter Server\vmcad\certool" --rootca --cert=C:\custom-certs\root.pem -– privkey=C:\custom-certs\root.
Platform Services Controller Administration Procedure 1 Make one copy of certool.cfg for each machine that needs a new certificate. You can find certool.cfg in the following locations: 2 Windows C:\Program Files\VMware\vCenter Server\vmcad Linux /usr/lib/vmware-vmca/share/config/ Edit the custom configuration file for each machine to include that machine's FDQN. Run NSLookup against the machine’s IP address to see the DNS listing of the name, and use that name for the Hostname field in the file.
Platform Services Controller Administration Example: Replacing Machine SSL Certificates (VMCA is Intermediate CA) 1 Create a configuration file for the SSL certificate and save it as ssl-config.cfg in the current directory. Country = US Name = vmca- Organization = VMware OrgUnit = VMware Engineering State = California Locality = Palo Alto Hostname = 2 Generate a key pair for the machine SSL certificate.
Platform Services Controller Administration n Sample output on vCenter Server: output (on vCenter): MACHINE_SSL_CERT TRUSTED_ROOTS TRUSTED_ROOT_CRLS machine vpxd vpxd-extension vsphere-webclient sms 5 Replace the Machine SSL certificate in VECS with the new Machine SSL certificate. The --store and --alias values have to exactly match with the default names. n On the Platform Services Controller, run the following command to update the Machine SSL certificate in the MACHINE_SSL_CERT store. C:\>"C:\Progr
Platform Services Controller Administration You replace the machine solution user certificate on each management node and on each Platform Services Controller node. You replace the other solution user certificates only on each management node. Use the --server parameter to point to the Platform Services Controller when you run commands on a management node with an external Platform Services Controller.
Platform Services Controller Administration 4 Stop all services and start the services that handle certificate creation, propagation, and storage. The service names differ on Windows and the vCenter Server Appliance.
Platform Services Controller Administration c Generate a key pair for the vpxd solution user on each management node. C:\>"C:\Program Files\VMware\vCenter Server\vmcad\"certool --genkey --privkey=vpxd-key.priv -pubkey=vpxd-key.pub d Generate a key pair for the vpxd-extension solution user on each management node. C:\>"C:\Program Files\VMware\vCenter Server\vmcad\"certool --genkey --privkey=vpxd-extensionkey.priv --pubkey=vpxd-extension-key.
Platform Services Controller Administration e Generate a certificate for the vsphere-webclient solution user on each management node by running the following command. C:\>"C:\Program Files\VMware\vCenter Server\vmcad\"certool --gencert --cert=new-vspherewebclient.crt --privkey=vsphere-webclient-key.priv --Name=vsphere-webclient --server= 3 Replace the solution user certificates in VECS with the new solution user certificates.
Platform Services Controller Administration 4 Update VMware Directory Service (vmdir) with the new solution user certificates. You are prompted for a vCenter Single Sign-On administrator password. a Run dir-cli service list to get the unique service ID suffix for each solution user. You can run this command on a Platform Services Controller or a vCenter Server system. C:\>"C:\Program Files\VMware\vCenter Server\vmafdd\"dir-cli>dir-cli service list output: 1.
Platform Services Controller Administration f Replace the vsphere-webclient solution user certificate on each management node. For example, if vsphere-webclient-6fd7f140-60a9-11e4-9e28-005056895a69 is the vsphere-webclient solution user ID, run this command: C:\>"C:\Program Files\VMware\vCenter Server\vmafdd\"dir-cli service update --name vspherewebclient-6fd7f140-60a9-11e4-9e28-005056895a69 --cert new-vsphere-webclient.
Platform Services Controller Administration Use Custom Certificates With vSphere If company policy requires it, you can replace some or all certificates used in vSphere with certificates that are signed by a third-party or enterprise CA. If you do that, VMCA is not in your certificate chain. You are responsible for storing all vCenter certificates in VECS. You can replace all certificates or use a hybrid solution.
Platform Services Controller Administration n PEM format. VMware supports PKCS8 and PKCS1 (RSA keys). When keys are added to VECS, they are converted to PKCS8 n x509 version 3 n For root certificates, the CA extension must be set to true, and the cert sign must be in the list of requirements.
Platform Services Controller Administration 3 Stop all services and start the services that handle certificate creation, propagation, and storage. The service names differ on Windows and the vCenter Server Appliance.
Platform Services Controller Administration Prerequisites You must have received a certificate for each machine from your third-party or enterprise CA. n Key size: 2048 bits or more (PEM encoded) n CRT format n x509 version 3 n SubjectAltName must contain DNS Name= n Contains the following Key Usages: Digital Signature, Non Repudiation, Key Encipherment Procedure 1 Stop all services and start the services that handle certificate creation, propagation, and storage.
Platform Services Controller Administration 2 Next, add the replacement certificate. "C:\Program Files\VMware\vCenter Server\vmafdd\"vecs-cli entry create --store MACHINE_SSL_CERT -alias __MACHINE_CERT --cert E:\custom-certs\ms-ca\signed-ssl\custom-w1-vim-catdhcp-094.eng.vmware.com.crt --key E:\custom-certs\ms-ca\signed-ssl\custom-x3-vim-catdhcp-1128.vmware.com.
Platform Services Controller Administration Procedure 1 Stop all services and start the services that handle certificate creation, propagation, and storage. service-control service-control service-control service-control 2 --stop --all --start vmafdd --start vmdird --start vmca Find the name for each solution user. dir-cli service list You can use the unique ID that is returned when you replace the certificates. The input and output might look as follows. C:\Program Files\VMware\vCenter Server\vmafdd
Platform Services Controller Administration Replace the VMware Directory Service Certificate in Mixed Mode Environments During upgrade, your environment might temporarily include both vCenter Single Sign-On version 5.5 and vCenter Single Sign-On version 6.x. For that case, you have to perform additional steps to replace the VMware Directory Service SSL certificate if you replace the SSL certificate of the node on which the vCenter Single Sign-On service is running.
Managing Services and Certificates With CLI Commands 4 A set of CLIs allows you to manage VMCA (VMware Certificate Authority), VECS (VMware Endpoint Certificate Store), and VMware Directory Service (vmdir). The vSphere Certificate Manager utility supports many related tasks as well, but the CLIs are required for manual certificate management and for managing other services. Table 4‑1.
Platform Services Controller Administration VCENTER_INSTALL_PATH\bin\service-control Linux /usr/lib/vmware-vmafd/bin/vecs-cli /usr/lib/vmware-vmafd/bin/dir-cli /usr/lib/vmware-vmca/bin/certool /opt/vmware/bin On Linux, the service-control command does not require that you specify the path. If you run commands from a vCenter Server system with an external Platform Services Controller, you can specify the Platform Services Controller with the --server parameter.
Platform Services Controller Administration n initscr n getdc n waitVMDIR n waitVMCA n genkey n viewcert Changing the certool Configuration Options When you run certool --gencert or certain other certificate initialization or management commands, the command reads all the values from a configuration file. You can edit the existing file, override the default configuration file with the -–config= option, or override values on the command line. The configuration file, certool.
Platform Services Controller Administration Specify --Name to replace the CN field of the Subject name of the certificate. n For solution user certificates, the name is @ by convention, but you can change the name if a different convention is used in your environment. n For machine SSL certificates, the FQDN of the machine is used. VMCA allows only one DNSName (in the Hostname field) and no other Alias options.
Platform Services Controller Administration Option Description --selfca Required for generating a self-signed certificate. --predate Allows you to set the Valid Not Before field of the root certificate to the specified number of minutes before the current time. This option can be helpful to account for potential time zone issues. The maximum is three days. --config Optional name of the configuration file. Defaults to certool.cfg.
Platform Services Controller Administration Option Description --server Optional name of the VMCA server. By default, the command uses localhost. --port Optional port number. Defaults to port 389. Example: certool --getdc certool --waitVMDIR Wait until the VMware Directory Service is running or until the timeout specified by --wait has elapsed. Use this option in conjunction with other options to schedule certain tasks, for example returning the default domain name.
Platform Services Controller Administration Option Description --server Optional name of the VMCA server. By default, the command uses localhost. Example: certool --publish-roots certool Management Commands Reference The certool management commands allow you to view, generate, and revoke certificates and to view information about certificates. certool --genkey Generates a private and public key pair. Those files can then be used to generate a certificate that is signed by VMCA.
Platform Services Controller Administration Option Description --config Optional name of the configuration file. Defaults to certool.cfg. --server Optional name of the VMCA server. By default, the command uses localhost. Example: certool --gencert --privkey= --cert= certool --getrootca Prints the current root CA certificate in human-readable form.
Platform Services Controller Administration Option Description --enumcert Required for listing all certificates. --filter [all | active] Required filter. Specify all or active. The revoked and expired options are not currently supported. Example: certool --enumcert --filter=active certool --status Sends a specified certificate to the VMCA server to check whether the certificate has been revoked. Prints Certificate: REVOKED if the certificate is revoked, and Certificate: ACTIVE otherwise.
Platform Services Controller Administration vecs-cli Command Reference The vecs-cli command set allows you to manage instances of VMware Certificate Store (VECS). Use these commands together with dir-cli and certool to manage your certificate infrastructure and other Platform Services Controller services. vecs-cli store create Creates a certificate store. Option Description --name Name of the certificate store.
Platform Services Controller Administration vecs-cli store list List certificate stores. Option Description --server Used to specify a server name if you connect to a remote VECS instance. --upn User Principle Name that is used to log in to the server instance specified by --server . When you create a store, it is created in the context of the current user. Therefore, the owner of the store is the current user context and not always the root user.
Platform Services Controller Administration Table 4‑2. Stores in VECS (Continued) Store Description Solution user stores VECS includes one store for each solution user. The subject of each solution user certificate must be unique, for example, the machine certificate cannot have the same subject as the vpxd certificate. n machine n vpxd n vpxd-extensions n vsphere-webclient Solution user certificates are used for authentication with vCenter Single Sign-On.
Platform Services Controller Administration vecs-cli store permissions Grants or revokes permissions to the store. Use either the --grant or the --revoke option. The owner of the store can perform all operations, including granting and revoking permissions. The administrator of the local vCenter Single Sign-On domain, administrator@vsphere.local by default, has all privileges on all stores, including granting and revoking permissions.
Platform Services Controller Administration Option Description --server Used to specify a server name if you connect to a remote VECS instance. --upn User Principle Name that is used to log in to the server instance specified by --server . When you create a store, it is created in the context of the current user. Therefore, the owner of the store is the current user context and not always the root user.
Platform Services Controller Administration Option Description --text Displays a human-readable version of the key. --server Used to specify a server name if you connect to a remote VECS instance. --upn User Principle Name that is used to log in to the server instance specified by --server . When you create a store, it is created in the context of the current user. Therefore, the owner of the store is the current user context and not always the root user.
Platform Services Controller Administration dir-cli Command Reference The dir-cli utility supports creation and updates to solution users, account management, and management of certificates and passwords in VMware Directory Service (vmdir). You can also use dircli to manage and query the domain functional level of Platform Services Controller instances. dir-cli nodes list Lists all vCenter Server system for the specified Platform Services Controller instance.
Platform Services Controller Administration Option Description --level Level for the Platform Services Controller. Use 2 to explicitly set the level after an upgrade, for example, because you want to use Platform Services Controller high availability. --login The administrator of the local vCenter Single Sign-On domain, administrator@vsphere.local by default. --password Password of the administrator user. If you do not specify the password, you are prompted.
Platform Services Controller Administration Option Description --login The administrator of the local vCenter Single Sign-On domain, administrator@vsphere.local by default. --password Password of the administrator user. If you do not specify the password, you are prompted. --live-dc-hostname Current name of the Platform Services Controller instance. dir-cli service create Creates a solution user. Primarily used by third-party solutions.
Platform Services Controller Administration Option Description --name Name of the solution user to delete. --login The administrator of the local vCenter Single Sign-On domain, administrator@vsphere.local by default. --password Password of the administrator user. If you do not specify the password, you are prompted. dir-cli service update Updates the certificate for a specified solution user, that is, collection of services.
Platform Services Controller Administration Option Description --account Name of the vCenter Single Sign-On user to delete. --password-never-expires Set this option to true if you are creating a user account for automated tasks that have to authenticate to Platform Services Controller, and you want to ensure that the tasks do not stop running because of password expiration. Use this option with care.
Platform Services Controller Administration dir-cli group modify Adds a user or group to an already existing group. Option Description --name Name of the group in vmdir. --add Name of the user or group to add. --login The administrator of the local vCenter Single Sign-On domain, administrator@vsphere.local by default. --password Password of the administrator user. If you do not specify the password, you are prompted.
Platform Services Controller Administration dir-cli trustedcert publish Publishes a trusted root certificate to vmdir. Option Description --cert Path to certificate file. --crl This option is not supported by VMCA. --login The administrator of the local vCenter Single Sign-On domain, administrator@vsphere.local by default. --password Password of the administrator user. If you do not specify the password, you are prompted.
Platform Services Controller Administration dir-cli trustedcert list Lists all trusted root certificates and their corresponding IDs. You need the certificate IDs to retrieve a certificate with dir-cli trustedcert get. Option Description --login The administrator of the local vCenter Single Sign-On domain, administrator@vsphere.local by default. --password Password of the administrator user. If you do not specify the password, you are prompted.
Platform Services Controller Administration Option Description --account Name of the account to assign a new password to. --new New password for the specified user. --login The administrator of the local vCenter Single Sign-On domain, administrator@vsphere.local by default. --password Password of the administrator user. If you do not specify the password, you are prompted. dir-cli password change Allows a user to change their password.
Troubleshooting Platform Services Controller 5 The following topics provide a starting point for troubleshooting Platform Services Controller. Search this documentation center and the VMware Knowledge Base system for additional pointers.
Platform Services Controller Administration 3 Within the log file, search for the following messages. The log file contains output from all installation attempts. Locate the last message that shows Initializing registration provider... Message Cause and solution java.net.ConnectException: Connection timed out: connect The IP address is incorrect, a firewall is blocking access to vCenter Single SignOn, or vCenter Single Sign-On is overloaded.
Platform Services Controller Administration Cause Users use their user name and password to log in to the default domain. For all other domains, users must include the domain name (user@domain or DOMAIN\user). If you are using the vCenter Server Appliance, other problems might exist. Solution For all vCenter Single Sign-On deployments, you can change the default identity source. After that change, users can log in to the default identity source with user name and password only.
Platform Services Controller Administration The relevant addresses are in the answer section, as in the following example: ;; ANSWER SECTION: my-controller.my-ad.com (...) IN A controller IP address ... # dig -x The relevant addresses are in the answer section, as in the following example: ;; ANSWER SECTION: IP-in-reverse.in-addr.arpa. (...) IN PTR my-controller.my-ad.com ...
Platform Services Controller Administration VMware Directory Service Replication Can Take a Long Time If your environment includes multiple Platform Services Controller instances, and if one of the Platform Services Controller instances becomes unavailable, your environment continues to function. When the Platform Services Controller becomes available again, user data and other information are usually replicated within 60 seconds.
Platform Services Controller Administration Procedure 1 From a Web browser, connect to the Platform Services Controller management interface at https://platform_services_controller_ip:5480 2 Log in as the root user for the virtual appliance. 3 Click Create support bundle. 4 Unless browser settings prevent an immediate download, the support bundle is saved to your local machine. Platform Services Controller Service Logs Reference The Platform Services Controller services use syslog for logging.
