Platform Services Controller Administration 17 APR 2018 VMware vSphere 6.7 VMware ESXi 6.7 vCenter Server 6.
Platform Services Controller Administration You can find the most up-to-date technical documentation on the VMware website at: https://docs.vmware.com/ If you have comments about this documentation, submit your feedback to docfeedback@vmware.com VMware, Inc. 3401 Hillview Ave. Palo Alto, CA 94304 www.vmware.com Copyright © 2009–2018 VMware, Inc. All rights reserved. Copyright and trademark information. VMware, Inc.
Contents About Platform Services Controller Administration 5 1 Getting Started with Platform Services Controller 7 vCenter Server and Platform Services Controller Deployment Types 7 Deployment Topologies with External Platform Services Controller Instances and High Availability Understanding vSphere Domains, Domain Names, and Sites Platform Services Controller Capabilities 11 13 14 Managing Platform Services Controller Services 15 Managing the Platform Services Controller Appliance 19 2 vSphere
Platform Services Controller Administration Unable to Log In Using Active Directory Domain Authentication 170 vCenter Server Login Fails Because the User Account Is Locked VMware Directory Service Replication Can Take a Long Time VMware, Inc.
About Platform Services Controller Administration ® The Platform Services Controller Administration documentation explains how the VMware Platform Services Controller™ fits into your vSphere environment and helps you perform common tasks such as certificate management and vCenter Single Sign-On configuration. Platform Services Controller Administration explains how you can set up authentication with vCenter Single Sign-On and how to manage certificates for vCenter Server and related services. Table 1.
Platform Services Controller Administration In addition to these documents, VMware publishes a Hardening Guide for each release of vSphere, accessible at http://www.vmware.com/security/hardening-guides.html. The Hardening Guide is a spreadsheet with entries for different potential security issues. It includes items for three different risk profiles. Intended Audience This information is intended for administrators who want to configure Platform Services Controller and associated services.
Getting Started with Platform Services Controller 1 The Platform Services Controller provides common infrastructure services to the vSphere environment. Services include licensing, certificate management, and authentication with vCenter Single Sign-On.
Platform Services Controller Administration Table 1‑1. vCenter Server and Platform Services Controller Deployment Types Deployment Type Description vCenter Server with an embedded Platform Services Controller All services that are bundled with the Platform Services Controller are deployed together with the vCenter Server services on the same virtual machine or physical server.
Platform Services Controller Administration You can configure the vCenter Server Appliance with an embedded Platform Services Controller in vCenter High Availability configuration. For information, see vSphere Availability. Note After you deploy or install vCenter Server with an embedded Platform Services Controller, you can reconfigure the deployment type and switch to vCenter Server with an external Platform Services Controller.
Platform Services Controller Administration For information about the Platform Services Controller and vCenter Server maximums, see the Configuration Maximums documentation. For information about configuring the vCenter Server Appliance with an external Platform Services Controller in vCenter High Availability configuration, see vSphere Availability.
Platform Services Controller Administration Deployment Topologies with External Platform Services Controller Instances and High Availability To ensure Platform Services Controller high availability in external deployments, you must install or deploy at least two joined Platform Services Controller instances in your vCenter Single Sign-On domain. When you use a third-party load balancer, you can ensure an automatic failover without downtime. Platform Services Controller with a Load Balancer Figure 1‑5.
Platform Services Controller Administration Platform Services Controller with Load Balancers Across vCenter Single Sign-On Sites Figure 1‑6.
Platform Services Controller Administration When a Platform Services Controller instance stops responding, you must manually fail over the vCenter Server instances that are registered to it. You fail over the instances by repointing them to other functional Platform Services Controller instances within the same site. For information about how to repoint vCenter Server instances to another external Platform Services Controller, see vCenter Server Installation and Setup.
Platform Services Controller Administration Platform Services Controller Domain When you install a Platform Services Controller, you are prompted to create a vCenter Single Sign-On domain or join an existing domain. The domain name is used by the VMware Directory Service (vmdir) for all Lightweight Directory Access Protocol (LDAP) internal structuring. With vSphere 6.0 and later, you can give your vSphere domain a unique name.
Platform Services Controller Administration Deployment Models You can install Platform Services Controller on a Windows system or deploy the Platform Services Controller appliance. The deployment model depends on the version of Platform Services Controller that you are using. See vCenter Server and Platform Services Controller Deployment Types.
Platform Services Controller Administration Table 1‑3. Platform Services Controller Services Service Description applmgmt Handles appliance configuration and provides public API endpoints for appliance lifecycle management. Included on the Platform Services Controller appliance.
Platform Services Controller Administration Table 1‑3. Platform Services Controller Services (Continued) Service Description vmdird Provides a multitenant, multimastered LDAP directory service that stores authentication, certificate, lookup, and license information. Do not update data in vmdird by using an LDAP VMware Directory Service browser.
Platform Services Controller Administration n Two-factor authentication such as Common Access Card authentication n Login banner Procedure 1 Log in to a vCenter Server associated with the Platform Services Controller as a user with administrator privileges in the local vCenter Single Sign-On domain (vsphere.local by default). 2 Select Administration and click the item that you want to manage. Option Single Sign-On Description Configure vCenter Single Sign-On. n Licensing Set policies.
Platform Services Controller Administration Procedure 1 Log in to the Platform Services Controller shell. In most cases, you have to be the root or Administrator user. See Required Privileges for Running CLIs for details. 2 Access a CLI at one of the following default locations. The required privileges depend on the task that you want to perform. In some cases, you are prompted for the password twice to safeguard sensitive information. Windows C:\Program Files\VMware\vCenter Server\vmafdd\vecscli.
Platform Services Controller Administration Manage the Appliance with the Platform Services Controller Virtual Appliance Management Interface In an environment with an external Platform Services Controller, you can use the Platform Services Controller virtual appliance management interface (VAMI) to configure the appliance system settings. Settings include time synchronization, network settings, and SSH login settings.
Platform Services Controller Administration 3 Log in as root with the password that you set when you initially deployed the appliance. If you changed the root password, use the new password. Add a Platform Services Controller Appliance to an Active Directory Domain If you want to add an Active Directory identity source to Platform Services Controller, you must join the Platform Services Controller appliance to an Active Directory domain.
vSphere Authentication with vCenter Single Sign-On 2 vCenter Single Sign-On is an authentication broker and security token exchange infrastructure. When a user can authenticate to vCenter Single Sign-On, that user receives a SAML token. Going forward, the user can use the SAML token to authenticate to vCenter services. The user can then perform the actions that user has privileges for.
Platform Services Controller Administration Understanding vCenter Single Sign-On To effectively manage vCenter Single Sign-On, you need to understand the underlying architecture and how it affects installation and upgrades. vCenter Single Sign-On 6.0 Domains and Sites (http://link.brightcove.
Platform Services Controller Administration 2 3 The vSphere Client passes the login information to the vCenter Single Sign-On service, which checks the SAML token of the vSphere Client. If the vSphere Client has a valid token, vCenter Single SignOn then checks whether the user is in the configured identity source (for example Active Directory). n If only the user name is used, vCenter Single Sign-On checks in the default domain. n If a domain name is included with the user name (DOMAIN\user1 or user1@
Platform Services Controller Administration 3 If the certificate is valid, vCenter Single Sign-On assigns a SAML token (bearer token) to the solution user. The token is signed by vCenter Single Sign-On. 4 The solution user is then redirected to vCenter Single Sign-On and can perform tasks based on its permissions. 5 The next time the solution user has to authenticate, it can use the SAML token to log in to vCenter Server.
Platform Services Controller Administration change the vSphere domain when you install vCenter Server or deploy the vCenter Server Appliance with a new Platform Services Controller. Do not name the domain name with your Microsoft Active Directory or OpenLDAP domain name. VMware Directory Service (vmdir) The VMware Directory service (vmdir) is associated with the domain you specify during installation and is included in each embedded deployment and on each Platform Services Controller.
Platform Services Controller Administration Platform Services Controller for better performance. The vCenter Single Sign-On service on each Platform Services Controller synchronizes authentication data with all other instances. The precise number depends on how heavily the vCenter Server instances are being used and on other factors. For detailed information about the deployment models, the advantages and disadvantages of each deployment type, see vCenter Server Installation and Setup.
Platform Services Controller Administration All users that can authenticate to vCenter Single Sign-On can reset their password, even if the password has expired, as long as they know the password. See Change Your vCenter Single Sign-On Password. Only vCenter Single Sign-On administrators can reset the password for users who no longer have their password.
Platform Services Controller Administration n n Users who are in a domain that has been added to vCenter Single Sign-On as an identity source but is not the default domain can log in to vCenter Server but must specify the domain in one of the following ways. n Including a domain name prefix, for example, MYDOMAIN\user1 n Including the domain, for example, user1@mydomain.com Users who are in a domain that is not a vCenter Single Sign-On identity source cannot log in to vCenter Server.
Platform Services Controller Administration Table 2‑1. Groups in the vsphere.local Domain (Continued) Privilege Description CAAdmins Members of the CAAdmins group have administrator privileges for VMCA. Do not add members to this group unless you have compelling reasons. DCAdmins Members of the DCAdmins group can perform Domain Controller Administrator actions on VMware Directory Service. Note Do not manage the domain controller directly.
Platform Services Controller Administration n Identity Sources for vCenter Server with vCenter Single Sign-On You can use identity sources to attach one or more domains to vCenter Single Sign-On. A domain is a repository for users and groups that the vCenter Single Sign-On server can use for user authentication. n Set the Default Domain for vCenter Single Sign-On Each vCenter Single Sign-On identity source is associated with a domain.
Platform Services Controller Administration n Active Directory over LDAP. vCenter Single Sign-On supports multiple Active Directory over LDAP identity sources. This identity source type is included for compatibility with the vCenter Single SignOn service included with vSphere 5.1. Shown as Active Directory as an LDAP Server in the vSphere Client. n OpenLDAP versions 2.4 and later. vCenter Single Sign-On supports multiple OpenLDAP identity sources. Shown as OpenLDAP in the vSphere Client.
Platform Services Controller Administration 2 Specify the user name and password for administrator@vsphere.local or another member of the vCenter Single Sign-On Administrators group. If you specified a different domain during installation, log in as administrator@mydomain. 3 4 Navigate to the Configuration UI. a From the Home menu, select Administration. b Under Single Sign On, click Configuration. Click Identity Sources, select an identity source, and click Set as Default.
Platform Services Controller Administration 4 Click Identity Sources, and click Add Identity Source. 5 Select the identity source and enter the identity source settings. Option Description Active Directory (Integrated Windows Authentication) Use this option for native Active Directory implementations. The machine on which the vCenter Single Sign-On service is running must be in an Active Directory domain if you want to use this option. See Active Directory Identity Source Settings.
Platform Services Controller Administration n For a vCenter Server Appliance, follow the instructions in the vCenter Server Appliance Configuration documentation. Note Active Directory (Integrated Windows Authentication) always uses the root of the Active Directory domain forest. To configure your Integrated Windows Authentication identity source with a child domain within your Active Directory forest, see VMware Knowledge Base article 2070433. Select Use machine account to speed up configuration.
Platform Services Controller Administration Table 2‑3. Active Directory as an LDAP Server and OpenLDAP Settings Option Description Name Name of the identity source. Base DN for users Base Distinguished Name for users. Base DN for groups The base Distinguished Name for groups. Domain name The FQDN of the domain. Domain alias For Active Directory identity sources, the domain's NetBIOS name.
Platform Services Controller Administration n If you are using vSphere 6.0 and earlier, verify that the Client Integration Plug-in is installed. n If you are using vSphere 6.5 and later, verify that the Enhanced Authentication Plug-In is installed. See vCenter Server Installation and Setup. Procedure 1 Navigate to the vSphere Client login page. 2 Select the Use Windows session authentication check box. 3 Log in using the Active Directory user name and password.
Platform Services Controller Administration Specifying a Nondefault Authentication Method Administrators can set up a nondefault authentication method from the vSphere Client, or by using the sso-config script. n For smart card authentication, you can perform the vCenter Single Sign-On setup from the vSphere Client or by using sso-config. Setup includes enabling smart card authentication and configuring certificate revocation policies.
Platform Services Controller Administration 4 If the certificate is known, and is not a revoked certificate, the user is authenticated and can then perform tasks that the user has permissions for. Note It usually makes sense to leave user name and password authentication enabled during testing. After testing is complete, disable user name and password authentication and enable smart card authentication. Subsequently, the vSphere Client and the vSphere Web Client allow only smart card login.
Platform Services Controller Administration 2 Create a trusted client CA store. This store will contain the trusted issuing CA's certificates for client certificate. The client here is the browser from which the smart card process prompts the end user for information. The following example shows how you create a certificate store on the Platform Services Controller appliance. For a single certificate: cd /usr/lib/vmware-sso/ openssl x509 -inform PEM -in xyzCompanySmartCardSigningCA.
Platform Services Controller Administration 5 Restart the service. OS Description Appliance Windows /usr/lib/vmware-vmon/vmon-cli --restart rhttpproxy Restart the operating system, or restart the VMware HTTP Reverse Proxy by following these steps: a Open an elevated command prompt. b Run the following commands: cd C:\Program Files\VMware\vCenter Server\bin service-control --stop vmware-rhttpproxy service-control --start vmware-rhttpproxy Use the Command Line to Manage Smart Card Authentication You
Platform Services Controller Administration If you use OCSP for revocation check, you can rely on the default OCSP specified in the smart card certificate AIA extension. You can also override the default and configure one or more alternative OCSP responders. For example, you can set up OCSP responders that are local to the vCenter Single Sign-On site to process the revocation check request. Note If your certificate does not have OCSP defined, enable CRL (certificate revocation list) instead.
Platform Services Controller Administration Procedure 1 Obtain the certificates and copy them to a folder that the sso-config utility can see. Option Description Windows Log in to the Platform Services Controller Windows installation and use WinSCP or a similar utility to copy the files. Appliance a Log in to the appliance console, either directly or by using SSH. b Enable the appliance shell, as follows.
Platform Services Controller Administration 5 (Optional) Turn on and configure revocation checking using OCSP. a Turn on revocation checking using OCSP. sso-config.[bat|sh] b -set_authn_policy -t tenantName -useOcsp true If the OCSP responder link is not provided by the AIA extension of the certificates, provide the overriding OCSP responder URL and OCSP authority certificate. The alternative OCSP is configured for each vCenter Single Sign-On site.
Platform Services Controller Administration Manage Smart Card Authentication You can enable and disable smart card authentication, customize the login banner, and set up the revocation policy from the vSphere Client. If smart card authentication is enabled and other authentication methods are disabled, users are then required to log in using smart card authentication. If user name and password authentication are disabled, and if problems occur with smart card authentication, users cannot log in.
Platform Services Controller Administration n Assign the vCenter Server Administrator role to one or more users in the Active Directory identity source. Those users can then perform management tasks because they can authenticate and they have vCenter Server administrator privileges. Note The administrator of the vCenter Single Sign-On domain, administrator@vsphere.local by default, cannot perform smart card authentication. n Set up the reverse proxy and restart the physical or virtual machine.
Platform Services Controller Administration 7 Under the Trusted CA certificates tab, click Add, and click Browse. 8 Select all certificates from trusted CAs, and click ADD. What to do next Your environment might require enhanced OCSP configuration. n If your OCSP response is issued by a different CA than the signing CA of the smart card, provide the OCSP signing CA certificate.
Platform Services Controller Administration n If revocation checking is enabled, advanced users can specify the following additional settings. OSCP URL By default, vCenter Single Sign-On checks the location of the OCSP responder that is defined in the certificate being validated. If the Authority Information Access extension is absent from the certificate or if you want to override it, you can explicitly specify a location.
Platform Services Controller Administration 3 Navigate to the Configuration UI. a From the Home menu, select Administration. b Under Single Sign On, click Configuration. 4 Click Smart Card Authentication. 5 Click Certificate revocation and click Edit to enable or disable revocation checking. 6 If certificate policies are in effect in your environment, you can add a policy in the Certificate policies pane.
Platform Services Controller Administration Procedure 1 2 Change to the directory where the sso-config script is located. Option Description Windows C:\Program Files\VMware\VCenter server\VMware Identity Services Appliance /opt/vmware/bin To enable RSA SecurID authentication, run the following command. sso-config.[sh|bat] -t tenantName -set_authn_policy –securIDAuthn true tenantName is the name of the vCenter Single Sign-On domain, vsphere.local by default.
Platform Services Controller Administration 6 (Optional) If your identity source is not using the User Principal Name as the user ID, set up the identity source userID attribute. The userID attribute determines which LDAP attribute is used as the RSA userID. sso-config.[sh|bat] -set_rsa_userid_attr_map [-t tenantName] [-idsName Name] [-ldapAttr AttrName] [-siteID Location] For example: sso-config.sh -set_rsa_userid_attr_map -t vsphere.local -idsName ssolabs.
Platform Services Controller Administration 6 Option Description Consent checkbox Toggle on Consent checkbox to require that the user clicks a check box before logging in. You can also display a message without a check box. Details of login message Message that the user sees when clicking the login message, for example, the text of the terms and conditions. If you use explicit consent, the message is required. Click Save.
Platform Services Controller Administration Prerequisites The target service must fully support the SAML 2.0 standard and the SP metadata must have the SPSSODescriptor element. If the metadata do not follow the SAML 2.0 metadata schema precisely, you might have to edit the metadata before you import it. For example, if you are using an Active Directory Federation Services (ADFS) SAML service provider, you have to edit the metadata before you can import them.
Platform Services Controller Administration Users present their primary credentials to the STS interface to acquire SAML tokens. The primary credential depends on the type of user. User User name and password available in a vCenter Single Sign-On identity source. Application user Valid certificate. STS authenticates the user based on the primary credentials, and constructs a SAML token that contains user attributes.
Platform Services Controller Administration Prerequisites Copy the certificate that you just added to the java keystore from the Platform Services Controller to your local workstation. Platform Services Controller appliance certificate_location/keys/root-trust.jks For example: /keys/root-trust.jks For example: /root/newsts/keys/root-trust.jks Windows installation certificate_location\root-trust.jks For example: C:\Program Files\VMware\vCenter Server\jre\bin\roottrust.
Platform Services Controller Administration Generate a New STS Signing Certificate on the Appliance Because the vCenter Single Sign-On Security Token Service (STS) signing certificate is an internal VMware certificate, do not replace it unless your company mandates the replacement of internal certificates. If you want to replace the default STS signing certificate, you must generate a new certificate and add it to the Java key store.
Platform Services Controller Administration 4 Generate the key. /usr/lib/vmware-vmca/bin/certool --server localhost --genkey --privkey=/root/newsts/sts.key -pubkey=/root/newsts/sts.pub 5 Generate the certificate /usr/lib/vmware-vmca/bin/certool --gencert --cert=/root/newsts/newsts.cer -privkey=/root/newsts/sts.key --config=/root/newsts/certool.cfg 6 Convert the certificate to PK12 format. openssl pkcs12 -export -in /root/newsts/newsts.cer -inkey /root/newsts/sts.
Platform Services Controller Administration Procedure 1 Create a new directory to hold the new certificate. cd C:\ProgramData\VMware\vCenterServer\cfg\sso\keys\ mkdir newsts cd newsts 2 Make a copy of the certool.cfg file and place it in the new directory. copy "C:\Program Files\VMware\vCenter Server\vmcad\certool.cfg" . 3 Open your copy of the certool.cfg file and edit it to use the local Platform Services Controller IP address and hostname. The country is required and has to be two characters.
Platform Services Controller Administration 7 Add the certificate to the Java key store (JKS). "C:\Program Files\VMware\vCenter Server\jre\bin\keytool.exe" -v -importkeystore -srckeystore newsts.p12 -srcstoretype pkcs12 -srcstorepass changeme -srcalias newstssigning -destkeystore roottrust.jks -deststoretype JKS -deststorepass testpassword -destkeypass testpassword "C:\Program Files\VMware\vCenter Server\jre\bin\keytool.exe" -v -importcert -keystore roottrust.
Platform Services Controller Administration Edit the vCenter Single Sign-On Password Policy The vCenter Single Sign-On password policy determines the password format and password expiration. Password policy applies only to users in the vCenter Single Sign-On domain (vsphere.local or vmc.local). By default, vCenter Single Sign-On passwords expire after 90 days. The vSphere Web Client reminds you when your password is about to expire.
Platform Services Controller Administration Option Description Character requirements Minimum number of different character types that are required in the password. You can specify the number of each type of character, as follows: n Special: & # % n Alphabetic: A b c D n Uppercase: A B C n Lowercase: a b c n Numeric: 1 2 3 The minimum number of alphabetic characters must be no less than the combined uppercase and lowercase characters. Non-ASCII characters are supported in passwords.
Platform Services Controller Administration 5 6 Edit the parameters. Option Description Description Optional description of the lockout policy. Maximum number of failed login attempts Maximum number of failed login attempts that are allowed before the account is locked. Time interval between failures Time period in which failed login attempts must occur to trigger a lockout. Unlock time Amount of time that the account remains locked.
Platform Services Controller Administration Option Description Maximum Bearer Token Lifetime Bearer tokens provide authentication based only on possession of the token. Bearer tokens are intended for short-term, single-operation use. A bearer token does not verify the identity of the user or entity that is sending the request. This value specifies the lifetime value of a bearer token before the token has to be reissued.
Platform Services Controller Administration n Add Members to a vCenter Single Sign-On Group Members of a vCenter Single Sign-On group can be users or other groups from one or more identity sources. You can add new members from the vSphere Web Client. n Remove Members from a vCenter Single Sign-On Group You can remove members from a vCenter Single Sign-On group by using the vSphere Client. When you remove a member (user or group) from a group, you do not delete the member from the system.
Platform Services Controller Administration 7 (Optional) Type the first name and last name of the new user. 8 (Optional) Enter an email address and description for the user. 9 Click OK. When you add a user, that user initially has no privileges to perform management operations. What to do next Add the user to a group in the vsphere.local domain, for example, to the group of users who can administer VMCA (CAAdmins) or to the group of users who can administer vCenter Single Sign-On (Administrators).
Platform Services Controller Administration Delete a vCenter Single Sign-On User You can delete users that are in the vsphere.local domain from a vCenter Single Sign-On management interface. You cannot delete local operating system users or users in another domain from a vCenter Single Sign-On management interface. Caution If you delete the administrator user in the vsphere.local domain, you can no longer log in to vCenter Single Sign-On. Reinstall vCenter Server and its components.
Platform Services Controller Administration 2 Specify the user name and password for administrator@vsphere.local or another member of the vCenter Single Sign-On Administrators group. If you specified a different domain during installation, log in as administrator@mydomain. 3 Navigate to the vCenter Single Sign-On user configuration UI. a From the Home menu, select Administration. b Under Single Sign On, click Users and Groups. 4 Click Users. 5 Click the vertical ellipsis icon and select Edit.
Platform Services Controller Administration What to do next n Add members to the group. Add Members to a vCenter Single Sign-On Group Members of a vCenter Single Sign-On group can be users or other groups from one or more identity sources. You can add new members from the vSphere Web Client. See VMware Knowledge Base article 2095342 for background information. Groups listed on the Groups tab in the Web interface are part of the vsphere.local domain. See Groups in the vCenter Single Sign-On Domain.
Platform Services Controller Administration 3 Navigate to the vCenter Single Sign-On user configuration UI. a From the Home menu, select Administration. b Under Single Sign On, click Users and Groups. 4 Select Groups and click a group. 5 In the list of group members, select the user or group that you want to remove and click the vertical ellipsis icon. 6 Click Remove Member. 7 Click Remove. The user is removed from the group, but is still available in the system.
Platform Services Controller Administration The services associated with the solution user no longer have access to vCenter Server and cannot function as vCenter Server services. Change Your vCenter Single Sign-On Password Users in the local domain, vsphere.local by default, can change their vCenter Single Sign-On passwords from a Web interface. Users in other domains change their passwords following the rules for that domain.
Platform Services Controller Administration The vSphere authentication infrastructure enhances security in your vSphere environment. To make sure that infrastructure is not compromised, follow vCenter Single Sign-On best practices. Check password expiration The default vCenter Single Sign-On password policy has a password lifetime of 90 days. After 90 days, the password expires and you can no longer log in. Check the expiration and refresh passwords in a timely fashion.
vSphere Security Certificates 3 vSphere provides security by using certificates to encrypt communications, authenticate services, and sign tokens. vSphere uses certificates to: n Encrypt communications between two nodes, such as vCenter Server and an ESXi host. n Authenticate vSphere services. n Perform internal actions such as signing tokens. vSphere's internal certificate authority, VMware Certificate Authority (VMCA), provides all the certificates necessary for vCenter Server and ESXi.
Platform Services Controller Administration VMware does not recommend replacing either solution user certificates or STS certificates, nor using a subordinate CA in place of the VMCA. If you choose either of these options, you might encounter significant complexity and the potential for a negative impact to your security, and an unnecessary increase in your operational risk.
Platform Services Controller Administration n SubjectAltName must contain DNS Name=machine_FQDN n CRT format n Contains the following Key Usages: Digital Signature, Key Encipherment. n Client Authentication and Server Authentication cannot be present under Enhanced Key Usage. VMCA does not support the following certificates. n Certificates with wildcards n The algorithms md2WithRSAEncryption 1.2.840.113549.1.1.2, md5WithRSAEncryption 1.2.840.113549.1.1.4, and sha1WithRSAEncryption 1.2.840.
Platform Services Controller Administration n Organization name n Organization unit n State n Locality n IP address (optional) n Email n Host name, that is, the fully qualified domain name of the machine for which you want to replace the certificate. If the host name does not match the FQDN, certificate replacement does not complete correctly and your environment might end up in an unstable state.
Platform Services Controller Administration Certificate Type Certificate Requirements Root certificate n You can use vSphere Certificate Manager to create the CSR. See Generate CSR with vSphere Certificate Manager and Prepare Root Certificate (Intermediate CA) n If you prefer to create the CSR manually, the certificate that you send to be signed must meet the following requirements. n Key size: 2048 bits or more n PEM format. VMware supports PKCS8 and PKCS1 (RSA keys).
Platform Services Controller Administration Certificate Type Certificate Requirements Machine SSL certificate The machine SSL certificate on each node must have a separate certificate from your third-party or enterprise CA. n You can generate the CSRs using vSphere Certificate Manager or create the CSR manually. The CSR must meet the requirements listed previously under Requirements for All Imported Certificates.
Platform Services Controller Administration Administrators Who Do Not Replace VMware Certificates VMCA can handle all certificate management. VMCA provisions vCenter Server components and ESXi hosts with certificates that use VMCA as the root certificate authority. If you are upgrading to vSphere 6 from an earlier version of vSphere, all self-signed certificates are replaced with certificates that are signed by VMCA.
Platform Services Controller Administration You can no longer use the vSphere 5.5 certificate replacement tool, which was available for vSphere 5.5 installations. The new architecture results in a different service distribution and placement. A new command-line utility, vSphere Certificate Manager, is available for most certificate management tasks. vSphere Certificate Interfaces For vCenter Server, you can view and replace certificates with the following tools and interfaces. Table 3‑3.
Platform Services Controller Administration You can replace the default certificates. For vCenter Server components, you can use a set of commandline tools included in your installation. You have several options. Replace With Certificates Signed by VMCA If your VMCA certificate expires or you want to replace it for other reasons, you can use the certificate management CLIs to perform that process.
Platform Services Controller Administration Figure 3‑2.
Platform Services Controller Administration You can use the following vSphere Certificate Manager options: n Replace Machine SSL Certificate with Custom Certificate n Replace Solution User Certificates with Custom Certificates For manual certificate replacement, see Use Custom Certificates With vSphere. Hybrid Deployment You can have VMCA supply some of the certificates, but use custom certificates for other parts of your infrastructure.
Platform Services Controller Administration Table 3‑5. Certificates in vSphere 6.0 and Later (Continued) Certificate Provisioned Comments vCenter Single Sign-On SSL signing certificate Provisioned during installation. Manage this certificate from the vSphere Web Client. VMware Directory Service (VMDIR) SSL certificate Provisioned during installation. Note Do not change this certificate in the filesystem or unpredictable behavior results. Starting with vSphere 6.
Platform Services Controller Administration The following solution user certificate stores are included in VECS on each management node and each embedded deployment: n machine: Used by component manager, license server, and the logging service. Note The machine solution user certificate has nothing to do with the machine SSL certificate. The machine solution user certificate is used for the SAML token exchange. The machine SSL certificate is used for secure SSL connections for a machine.
Platform Services Controller Administration VMCA and VMware Core Identity Services Core identity services are part of every embedded deployment and every platform services node. VMCA is part of every VMware core identity services group. Use the management CLIs and the vSphere Web Client to interact with these services. VMware core identity services include several components. Table 3‑6.
Platform Services Controller Administration Table 3‑7. Stores in VECS Store Description Machine SSL store (MACHINE_SSL_CERT) n Used by the reverse proxy service on every vSphere node. n Used by the VMware Directory Service (vmdir) on embedded deployments and on each Platform Services Controller node. All services in vSphere 6.0 and later communicate through a reverse proxy, which uses the machine SSL certificate. For backward compatibility, the 5.x services still use specific ports.
Platform Services Controller Administration Table 3‑7. Stores in VECS (Continued) Store Description vSphere Certificate Manager Utility backup store (BACKUP_STORE) Used by VMCA (VMware Certificate Manager) to support certificate revert. Only the most recent state is stored as a backup, you cannot go back more than one step. Other stores Other stores might be added by solutions. For example, the Virtual Volumes solution adds an SMS store.
Platform Services Controller Administration Certificate Replacement in High Availability Environments That Include a Load Balancer In environments with less than eight vCenter Server systems, VMware typically recommends a single Platform Services Controller instance and associated vCenter Single Sign-On service. In larger environments, consider using multiple Platform Services Controller instances, protected by a network load balancer. The white paper vCenter Server 6.
Platform Services Controller Administration Replacement of Solution User Certificates in Environments with Multiple Management Nodes If your environment includes multiple management nodes and a single Platform Services Controller, follow these steps for certificate replacement. Note When you list solution user certificates in large deployments, the output of dir-cli list includes all solution users from all nodes.
Platform Services Controller Administration Certificate Replacement in Environments That Include External Solutions Some solutions, such as VMware vCenter Site Recovery Manager or VMware vSphere Replication, are always installed on a different machine than the vCenter Server system or Platform Services Controller.
Platform Services Controller Administration You can use one of the following workflows to renew or replace certificates. Renew Certificates You can have VMCA renew SSL and solution user certificates in your environment from the vSphere Client. Make VMCA an Intermediate CA You can generate a CSR using the vSphere Certificate Manager utility. You can then edit the certificate you receive from the CSR to add VMCA to the chain, and then add the certificate chain and private key to your environment.
Platform Services Controller Administration 3 Navigate to the Certificate Management UI. a From the Home menu, select Administration. b Under Certificates, click Certificate Management. 4 Enter the credentials of your vCenter Server. 5 Explore the certificates stored inside the VMware Endpoint Certificate Store (VECS). VMware Endpoint Certificate Store Overview explains what is in the individual stores. 6 To view details for a certificate, select the certificate and click View Details.
Platform Services Controller Administration 6 (Optional) Renew the Solution User certificates for the local system. a Under Solution Certificates, select a certificate. b Click Actions > Renew to renew individual selected certificates, or click Renew All to renew all solution user certificates. A message appears that the certificate is renewed. 7 If your environment includes an external Platform Services Controller, you can then renew the certificates for each of the vCenter Server system.
Platform Services Controller Administration Generate Certificate Signing Requests with vSphere Certificate Manager (Custom Certificates) You can use vSphere Certificate Manager to generate Certificate Signing Requests (CSRs) that you can then use with your enterprise CA or send to an external certificate authority. You can use the certificates with the different supported certificate replacement processes. You can run the Certificate Manager tool from the command line as follows: Windows Linux C:\Program
Platform Services Controller Administration What to do next Perform certificate replacement. Add a Trusted Root Certificate to the Certificate Store If you want to use third-party certificates in your environment, you must add a trusted root certificate to the certificate store. Prerequisites Obtain the custom root certificate from your third-party or in-house CA. Procedure 1 Log in with the vSphere Client to the vCenter Server connected to the Platform Services Controller.
Platform Services Controller Administration Procedure 1 Log in with the vSphere Client to the vCenter Server connected to the Platform Services Controller. 2 Specify the user name and password for administrator@vsphere.local or another member of the vCenter Single Sign-On Administrators group. If you specified a different domain during installation, log in as administrator@mydomain. 3 Log in as an administrator. 4 Navigate to the Certificate Management UI.
Platform Services Controller Administration Managing Certificates from the vSphere Web Client You can explore certificates from the vSphere Web Client, and you can set the threshold for expiration warnings. Perform all other management tasks from the vSphere Client. See Managing Certificates with the vSphere Client.
Platform Services Controller Administration Set the Threshold for vCenter Certificate Expiration Warnings Starting with vSphere 6.0, vCenter Server monitors all certificates in the VMware Endpoint Certificate Store (VECS) and issues an alarm when a certificate is 30 days or less from its expiration. You can change how soon you are warned with the vpxd.cert.threshold advanced option. Procedure 1 Log in to the vSphere Web Client. 2 Select the vCenter Server object and click Configure.
Platform Services Controller Administration 2 Regenerate a New VMCA Root Certificate and Replace All Certificates You can regenerate the VMCA root certificate, and replace the local machine SSL certificate, and the local solution user certificates with VMCA-signed certificates.
Platform Services Controller Administration Make VMCA an Intermediate Certificate Authority To make VMCA an intermediate CA, you have to run Certificate Manager several times. The workflow gives the complete set of steps for replacing both machine SSL certificates and solution user certificates. It explains what to do in environments with embedded Platform Services Controller or external Platform Services Controller.
Platform Services Controller Administration Regenerate a New VMCA Root Certificate and Replace All Certificates You can regenerate the VMCA root certificate, and replace the local machine SSL certificate, and the local solution user certificates with VMCA-signed certificates.
Platform Services Controller Administration 3 Respond to the prompts. Certificate Manager generates a new VMCA root certificate based on your input and replaces all certificates on the system where you are running Certificate Manager. If you use an embedded deployment, the replacement process is complete after Certificate Manager has restarted the services. 4 If your environment includes an external Platform Services Controller, you have to replace certificates on each vCenter Server system.
Platform Services Controller Administration To make VMCA an intermediate CA, you have to run Certificate Manager several times. The workflow gives the complete set of steps for replacing both machine SSL certificates and solution user certificates. It explains what to do in environments with embedded Platform Services Controller or external Platform Services Controller. 1 To generate a CSR, select Option 1, Replace Machine SSL certificate with Custom Certificate then Option 1.
Platform Services Controller Administration Generate CSR with vSphere Certificate Manager and Prepare Root Certificate (Intermediate CA) You can use vSphere Certificate Manager to generate Certificate Signing Requests (CSRs). Submit those CSRs to your enterprise CA or to an external certificate authority for signing. You can use the signed certificates with the different supported certificate replacement processes. n You can use vSphere Certificate Manager to create the CSR.
Platform Services Controller Administration 3 Select Option 1 to generate the CSR and answer the prompts. As part of the process, you have to provide a directory. Certificate Manager places the certificate to be signed (*.csr file) and the corresponding key file (*.key file) in the directory. 4 Name the certificate signing request (CSR) root_signing_cert.csr. 5 Send the CSR to your enterprise or external CA for signing and name the resulting signed certificate root_signing_cert.cer.
Platform Services Controller Administration n Valid custom certificate for Root (.crt file). n Valid custom key for Root (.key file). Procedure 1 Start vSphere Certificate Manager on an embedded installation or on an external Platform Services Controller and select option 2. 2 Select option 2 again to start certificate replacement and respond to the prompts. a Specify the full path to the root certificate when prompted.
Platform Services Controller Administration n Organization unit n State n Locality n IP address (optional) n Email n Host name, that is, the fully qualified domain name of the machine for which you want to replace the certificate. If the host name does not match the FQDN, certificate replacement does not complete correctly and your environment might end up in an unstable state.
Platform Services Controller Administration n You must know the following information to run Certificate Manager with this option. n Password for administrator@vsphere.local. n Host name or IP address of the Platform Services Controller if you are running on a vCenter Server system with an external Platform Services Controller. Procedure 1 Start vSphere Certificate Manager and select option 6. 2 Respond to the prompts. See VMware Knowledge Base article https://kb.vmware.
Platform Services Controller Administration Procedure 1 Generate Certificate Signing Requests with vSphere Certificate Manager (Custom Certificates) You can use vSphere Certificate Manager to generate Certificate Signing Requests (CSRs) that you can then use with your enterprise CA or send to an external certificate authority. You can use the certificates with the different supported certificate replacement processes.
Platform Services Controller Administration Procedure 1 On each machine in your environment, start vSphere Certificate Manager and select option 1. 2 Supply the password and the Platform Services Controller IP address or host name if prompted. 3 Select option 1 to generate the CSR, answer the prompts and exit Certificate Manager. As part of the process, you have to provide a directory. Certificate Manager places the certificate and key files in the directory.
Platform Services Controller Administration n Contains the following Key Usages: Digital Signature, Non Repudiation, Key Encipherment Note Do not use CRL Distribution Points, Authority Information Access, or Certificate Template Information in any custom certificates. See also VMware Knowledge Base article 2112014, Obtaining vSphere certificates from a Microsoft Certificate Authority. Procedure 1 Start vSphere Certificate Manager and select option 1.
Platform Services Controller Administration -----END CERTIFICATE---------BEGIN CERTIFICATE----Root certificate of enterprise or external CA -----END CERTIFICATE----- Prerequisites Before you start, you need a CSR for each machine in your environment. You can generate the CSR using vSphere Certificate Manager or explicitly. 1 To generate the CSR using vSphere Certificate Manager, see Generate Certificate Signing Requests with vSphere Certificate Manager (Custom Certificates).
Platform Services Controller Administration Revert Last Performed Operation by Republishing Old Certificates When you perform a certificate management operation by using vSphere Certificate Manager, the current certificate state is stored in the BACKUP_STORE store in VECS before certificates are replaced. You can revert the last performed operation and return to the previous state. Note The revert operation restores what is currently in the BACKUP_STORE.
Platform Services Controller Administration Follow these rules of thumb. n Do not stop services to generate new public/private key pairs or new certificates. n If you are the only administrator, you do not have to stop services when you add a new root certificate. The old root certificate remains available, and all services can still authenticate with that certificate. Stop and immediately restart all services after you add the root certificate to avoid problems with your hosts.
Platform Services Controller Administration 4 Replace the VMware Directory Service Certificate in Mixed Mode Environments During upgrade, your environment might temporarily include both vCenter Single Sign-On version 5.5 and vCenter Single Sign-On version 6.x. For that case, you have to perform additional steps to replace the VMware Directory Service SSL certificate if you replace the SSL certificate of the node on which the vCenter Single Sign-On service is running.
Platform Services Controller Administration The command updates all instances of vmdir immediately. If you don't run the command, propagation of the new certificate to all nodes might take a while. 5 Restart all services. service-control --start --all Example: Generate a New VMCA-Signed Root Certificate The following example shows all the steps for verifying the current root CA information, and for regenerating the root certificate.
Platform Services Controller Administration 3 Generate a new VMCA root certificate. The command adds the certificate to the TRUSTED_ROOTS store in VECS and in vmdir (VMware Directory Service). C:\>"C:\Program Files\VMware\vCenter Server\vmcad\"certool --selfca --config="C:\Program Files\VMware\vCenter Server\vmcad\certool.cfg" On Windows, --config is optional because the command uses the default certool.cfg file.
Platform Services Controller Administration 4 Stop all services and start the services that handle certificate creation, propagation, and storage. The service names differ on Windows and the vCenter Server Appliance. Note If your environment uses an external Platform Services Controller, you do not have to stop and start VMware Directory Service (vmdird) and VMware Certificate Authority (vmcad) on the vCenter Server node. Those services run on the Platform Services Controller.
Platform Services Controller Administration 2 Generate a key pair for the machine SSL certificate. Run this command on each management node and Platform Services Controller node; it does not require a --server option. C:\>"C:\Program Files\VMware\vCenter Server\vmcad\"certool --genkey --privkey=ssl-key.priv -pubkey=ssl-key.pub The ssl-key.priv and ssl-key.pub files are created in the current directory. 3 Generate the new machine SSL certificate. This certificate is signed by VMCA.
Platform Services Controller Administration 5 Replace the Machine SSL certificate in VECS with the new Machine SSL certificate. The --store and --alias values have to exactly match with the default names. n On the Platform Services Controller, run the following command to update the Machine SSL certificate in the MACHINE_SSL_CERT store. C:\>"C:\Program Files\VMware\vCenter Server\vmafdd\"vecs-cli entry delete --store MACHINE_SSL_CERT --alias __MACHINE_CERT C:\>"C:\Program Files\VMware\vCenter Server\vmaf
Platform Services Controller Administration Prerequisites Be prepared to stop all services and to start the services that handle certificate propagation and storage. Procedure 1 Make one copy of certool.cfg, remove the Name, IP address, DNS name, and email fields, and rename the file, for example, to sol_usr.cfg. You can name the certificates from the command line as part of generation. The other information is not needed for solution users.
Platform Services Controller Administration 4 Stop all services and start the services that handle certificate creation, propagation, and storage. The service names differ on Windows and the vCenter Server Appliance. Note If your environment uses an external Platform Services Controller, you do not have to stop and start VMware Directory Service (vmdird) and VMware Certificate Authority (vmcad) on the vCenter Server node. Those services run on the Platform Services Controller.
Platform Services Controller Administration b (Optional) For deployments with an external Platform Services Controller, generate a key pair for the machine solution user on each management node. C:\>"C:\Program Files\VMware\vCenter Server\vmcad\"certool --genkey --privkey=machine-key.priv --pubkey=machine-key.pub c Generate a key pair for the vpxd solution user on each management node. C:\>"C:\Program Files\VMware\vCenter Server\vmcad\"certool --genkey --privkey=vpxd-key.priv -pubkey=vpxd-key.
Platform Services Controller Administration d Generate a certificate for the vpxd-extensions solution user on each management node. C:\>"C:\Program Files\VMware\vCenter Server\vmcad\"certool --gencert --cert=new-vpxdextension.crt --privkey=vpxd-extension-key.priv --Name=vpxd-extension --server= e Generate a certificate for the vsphere-webclient solution user on each management node by running the following command. C:\>"C:\Program Files\VMware\vCenter Server\vmcad\"certool --gencert --ce
Platform Services Controller Administration e Replace the vsphere-webclient solution user certificate on each management node. C:\>"C:\Program Files\VMware\vCenter Server\vmafdd\"vecs-cli entry delete --store vspherewebclient --alias vsphere-webclient C:\>"C:\Program Files\VMware\vCenter Server\vmafdd\"vecs-cli entry create --store vspherewebclient --alias vsphere-webclient --cert new-vsphere-webclient.crt --key vsphere-webclientkey.
Platform Services Controller Administration e Replace the vpxd-extension solution user certificate in vmdir on each management node. For example, if vpxd-extension-6fd7f140-60a9-11e4-9e28-005056895a69 is the vpxd-extension solution user ID, run this command: C:\>"C:\Program Files\VMware\vCenter Server\vmafdd\"dir-cli service update --name vpxdextension-6fd7f140-60a9-11e4-9e28-005056895a69 --cert new-vpxd-extension.crt f Replace the vsphere-webclient solution user certificate on each management node.
Platform Services Controller Administration Procedure 1 On the node on which the vCenter Single Sign-On 5.5 service runs, set up the environment so the vCenter Single Sign-On 6.x service is known. a Back up all files C:\ProgramData\VMware\CIS\cfg\vmdird. b Make a copy of the vmdircert.pem file on the 6.x node, and rename it to .pem, where is the FQDN of the 6.x node. c Copy the renamed certificate to C:\ProgramData\VMware\CIS\cfg\vmdird to replace the exi
Platform Services Controller Administration n PEM format. VMware supports PKCS8 and PKCS1 (RSA keys). When keys are added to VECS, they are converted to PKCS8 n x509 version 3 n If you are using custom certificates, the CA extension must be set to true for root certificates, and cert sign must be in the list of requirements. n CRL signing must be enabled. n Enhanced Key Usage must not contain Client Authentication or Server Authentication.
Platform Services Controller Administration 3 Stop all services and start the services that handle certificate creation, propagation, and storage. The service names differ on Windows and the vCenter Server Appliance. Note If your environment uses an external Platform Services Controller, you do not have to stop and start VMware Directory Service (vmdird) and VMware Certificate Authority (vmcad) on the vCenter Server node. Those services run on the Platform Services Controller.
Platform Services Controller Administration Example: Replacing the Root Certificate Replace the VMCA root certificate with the custom CA root certificate using the certool command with the --rootca option. C:\>"C:\Program Files\VMware\vCenter Server\vmcad\certool" --rootca --cert=C:\custom-certs\root.pem -– privkey=C:\custom-certs\root.key When you run this command, it: n Adds the new custom root certificate to the certificate location in the file system.
Platform Services Controller Administration 3 Generate a public/private key file pair and a certificate for each machine, passing in the configuration file that you just customized. For example: certool --genkey --privkey=machine1.priv --pubkey=machine1.pub certool --gencert --privkey=machine1.priv --cert machine42.crt --Name=Machine42_Cert --config machine1.cfg 4 Stop all services and start the services that handle certificate creation, propagation, and storage.
Platform Services Controller Administration Example: Replacing Machine SSL Certificates (VMCA is Intermediate CA) 1 Create a configuration file for the SSL certificate and save it as ssl-config.cfg in the current directory. Country = US Name = vmca- Organization = VMware OrgUnit = VMware Engineering State = California Locality = Palo Alto Hostname = 2 Generate a key pair for the machine SSL certificate.
Platform Services Controller Administration n Sample output on vCenter Server: output (on vCenter): MACHINE_SSL_CERT TRUSTED_ROOTS TRUSTED_ROOT_CRLS machine vpxd vpxd-extension vsphere-webclient sms 5 Replace the Machine SSL certificate in VECS with the new Machine SSL certificate. The --store and --alias values have to exactly match with the default names. n On the Platform Services Controller, run the following command to update the Machine SSL certificate in the MACHINE_SSL_CERT store. C:\>"C:\Progr
Platform Services Controller Administration You replace the machine solution user certificate on each management node and on each Platform Services Controller node. You replace the other solution user certificates only on each management node. Use the --server parameter to point to the Platform Services Controller when you run commands on a management node with an external Platform Services Controller.
Platform Services Controller Administration 4 Stop all services and start the services that handle certificate creation, propagation, and storage. The service names differ on Windows and the vCenter Server Appliance. Note If your environment uses an external Platform Services Controller, you do not have to stop and start VMware Directory Service (vmdird) and VMware Certificate Authority (vmcad) on the vCenter Server node. Those services run on the Platform Services Controller.
Platform Services Controller Administration b (Optional) For deployments with an external Platform Services Controller, generate a key pair for the machine solution user on each management node. C:\>"C:\Program Files\VMware\vCenter Server\vmcad\"certool --genkey --privkey=machine-key.priv --pubkey=machine-key.pub c Generate a key pair for the vpxd solution user on each management node. C:\>"C:\Program Files\VMware\vCenter Server\vmcad\"certool --genkey --privkey=vpxd-key.priv -pubkey=vpxd-key.
Platform Services Controller Administration d Generate a certificate for the vpxd-extensions solution user on each management node. C:\>"C:\Program Files\VMware\vCenter Server\vmcad\"certool --gencert --cert=new-vpxdextension.crt --privkey=vpxd-extension-key.priv --Name=vpxd-extension --server= e Generate a certificate for the vsphere-webclient solution user on each management node by running the following command. C:\>"C:\Program Files\VMware\vCenter Server\vmcad\"certool --gencert --ce
Platform Services Controller Administration e Replace the vsphere-webclient solution user certificate on each management node. C:\>"C:\Program Files\VMware\vCenter Server\vmafdd\"vecs-cli entry delete --store vspherewebclient --alias vsphere-webclient C:\>"C:\Program Files\VMware\vCenter Server\vmafdd\"vecs-cli entry create --store vspherewebclient --alias vsphere-webclient --cert new-vsphere-webclient.crt --key vsphere-webclientkey.
Platform Services Controller Administration e Replace the vpxd-extension solution user certificate in vmdir on each management node. For example, if vpxd-extension-6fd7f140-60a9-11e4-9e28-005056895a69 is the vpxd-extension solution user ID, run this command: C:\>"C:\Program Files\VMware\vCenter Server\vmafdd\"dir-cli service update --name vpxdextension-6fd7f140-60a9-11e4-9e28-005056895a69 --cert new-vpxd-extension.crt f Replace the vsphere-webclient solution user certificate on each management node.
Platform Services Controller Administration 2 Restart the VMware Directory Service on all machines where you replaced certificates. You can restart the service from the vSphere Web Client or use the service-control command. Use Custom Certificates With vSphere If company policy requires it, you can replace some or all certificates used in vSphere with certificates that are signed by a third-party or enterprise CA. If you do that, VMCA is not in your certificate chain.
Platform Services Controller Administration Prerequisites The certificate must meet the following requirements: n Key size: 2048 bits or more (PEM encoded) n PEM format. VMware supports PKCS8 and PKCS1 (RSA keys). When keys are added to VECS, they are converted to PKCS8 n x509 version 3 n For root certificates, the CA extension must be set to true, and the cert sign must be in the list of requirements.
Platform Services Controller Administration 3 Stop all services and start the services that handle certificate creation, propagation, and storage. The service names differ on Windows and the vCenter Server Appliance. Note If your environment uses an external Platform Services Controller, you do not have to stop and start VMware Directory Service (vmdird) and VMware Certificate Authority (vmcad) on the vCenter Server node. Those services run on the Platform Services Controller.
Platform Services Controller Administration n Valid custom certificate for Root (.crt file). n If you are running the command on a vCenter Server with external Platform Services Controller in a multi-node deployment, IP address of the Platform Services Controller. Prerequisites You must have received a certificate for each machine from your third-party or enterprise CA.
Platform Services Controller Administration Example: Replace Machine SSL Certificates with Custom Certificates You can replace the machine SSL certificate on each node the same way. 1 First, delete the existing certificate in VECS. "C:\Program Files\VMware\vCenter Server\vmafdd\"vecs-cli entry delete --store MACHINE_SSL_CERT -alias __MACHINE_CERT 2 Next, add the replacement certificate. "C:\Program Files\VMware\vCenter Server\vmafdd\"vecs-cli entry create --store MACHINE_SSL_CERT -alias __MACHINE_CERT -
Platform Services Controller Administration n Contains the following Key Usages: Digital Signature, Non Repudiation, Key Encipherment Procedure 1 Stop all services and start the services that handle certificate creation, propagation, and storage. service-control service-control service-control service-control 2 --stop --all --start vmafdd --start vmdird --start vmca Find the name for each solution user.
Platform Services Controller Administration Replace the VMware Directory Service Certificate in Mixed Mode Environments During upgrade, your environment might temporarily include both vCenter Single Sign-On version 5.5 and vCenter Single Sign-On version 6.x. For that case, you have to perform additional steps to replace the VMware Directory Service SSL certificate if you replace the SSL certificate of the node on which the vCenter Single Sign-On service is running.
Managing Services and Certificates with CLI Commands 4 A set of CLIs allows you to manage VMCA (VMware Certificate Authority), VECS (VMware Endpoint Certificate Store), and VMware Directory Service (vmdir). The vSphere Certificate Manager utility supports many related tasks as well, but the CLIs are required for manual certificate management and for managing other services. You normally access the CLI tools for managing certificates and associated services by using SSH to connect to the appliance shell.
Platform Services Controller Administration C:\Program Files\VMware\vCenter Server\vmcad\certool.exe C:\Program Files\VMware\VCenter server\VMware Identity Services\sso-config VCENTER_INSTALL_PATH\bin\service-control Linux /usr/lib/vmware-vmafd/bin/vecs-cli /usr/lib/vmware-vmafd/bin/dir-cli /usr/lib/vmware-vmca/bin/certool /opt/vmware/bin On Linux, the service-control command does not require that you specify the path.
Platform Services Controller Administration The MACHINE_SSL_CERT and TRUSTED_ROOTS stores are special stores. Only the root user or administrator user, depending on the type of installation, has complete access. Most of the certool commands require that the user is in the certool Administrators group. All users can run the following commands.
Platform Services Controller Administration n n certool -–gencert --config C:\Temp\myconfig.cfg Override individual values on the command line. For example, to override Locality, run this command: certool -–gencert -–privkey=private.key –-Locality="Mountain View" Specify --Name to replace the CN field of the Subject name of the certificate.
Platform Services Controller Administration certool --selfca Creates a self-signed certificate and provisions the VMCA server with a self-signed root CA. Using this option is one of the simplest ways to provision the VMCA server. You can instead provision the VMCA server with a third-party root certificate so that VMCA is an intermediate CA. See Use VMCA as an Intermediate Certificate Authority. This command generates a certificate that is predated by three days to avoid time zone conflicts.
Platform Services Controller Administration certool --getdc Returns the default domain name that is used by vmdir. Option Description --server Optional name of the VMCA server. By default, the command uses localhost. --port Optional port number. Defaults to port 389. Example: certool --getdc certool --waitVMDIR Wait until the VMware Directory Service is running or until the timeout specified by --wait has elapsed.
Platform Services Controller Administration certool --publish-roots Forces an update of root certificates. This command requires administrative privileges. Option Description --server Optional name of the VMCA server. By default, the command uses localhost. Example: certool --publish-roots certool Management Commands Reference The certool management commands allow you to view, generate, and revoke certificates and to view information about certificates.
Platform Services Controller Administration Option Description --privkey Name of the private key file. This file must be in PEM encoded format. --config Optional name of the configuration file. Defaults to certool.cfg. --server Optional name of the VMCA server. By default, the command uses localhost. Example: certool --gencert --privkey= --cert= certool --getrootca Prints the current root CA certificate in human-readable form.
Platform Services Controller Administration Option Description --enumcert Required for listing all certificates. --filter [all | active] Required filter. Specify all or active. The revoked and expired options are not currently supported. Example: certool --enumcert --filter=active certool --status Sends a specified certificate to the VMCA server to check whether the certificate has been revoked. Prints Certificate: REVOKED if the certificate is revoked, and Certificate: ACTIVE otherwise.
Platform Services Controller Administration vecs-cli Command Reference The vecs-cli command set allows you to manage instances of VMware Certificate Store (VECS). Use these commands together with dir-cli and certool to manage your certificate infrastructure and other Platform Services Controller services. vecs-cli store create Creates a certificate store. Option Description --name Name of the certificate store.
Platform Services Controller Administration vecs-cli store list List certificate stores. Option Description --server Used to specify a server name if you connect to a remote VECS instance. --upn User Principle Name that is used to log in to the server instance specified by --server . When you create a store, it is created in the context of the current user. Therefore, the owner of the store is the current user context and not always the root user.
Platform Services Controller Administration Table 4‑2. Stores in VECS (Continued) Store Description Solution user stores VECS includes one store for each solution user. The subject of each solution user certificate must be unique, for example, the machine certificate cannot have the same subject as the vpxd certificate. n machine n vpxd n vpxd-extension n vsphere-webclient Solution user certificates are used for authentication with vCenter Single Sign-On.
Platform Services Controller Administration vecs-cli store permissions Grants or revokes permissions to the store. Use either the --grant or the --revoke option. The owner of the store can perform all operations, including granting and revoking permissions. The administrator of the local vCenter Single Sign-On domain, administrator@vsphere.local by default, has all privileges on all stores, including granting and revoking permissions.
Platform Services Controller Administration Option Description --server Used to specify a server name if you connect to a remote VECS instance. --upn User Principle Name that is used to log in to the server instance specified by --server . When you create a store, it is created in the context of the current user. Therefore, the owner of the store is the current user context and not always the root user.
Platform Services Controller Administration Option Description --text Displays a human-readable version of the key. --server Used to specify a server name if you connect to a remote VECS instance. --upn User Principle Name that is used to log in to the server instance specified by --server . When you create a store, it is created in the context of the current user. Therefore, the owner of the store is the current user context and not always the root user.
Platform Services Controller Administration dir-cli Command Reference The dir-cli utility supports creation and updates to solution users, account management, and management of certificates and passwords in VMware Directory Service (vmdir). You can also use dircli to manage and query the domain functional level of Platform Services Controller instances. dir-cli nodes list Lists all vCenter Server system for the specified Platform Services Controller instance.
Platform Services Controller Administration Option Description --ssoadminrole Makes the solution user a member of the ActAsUser group. The ActAsUser role enables users to act on behalf of other users. --login The administrator of the local vCenter Single Sign-On domain, administrator@vsphere.local by default. --password Password of the administrator user. If you do not specify the password, you are prompted.
Platform Services Controller Administration dir-cli user create Creates a regular user inside vmdir. This command can be used for human users who authenticate to vCenter Single Sign-On with a user name and password. Use this command only during prototyping. Option Description --account Name of the vCenter Single Sign-On user to create. --user-password Initial password for the user. --first-name First name for the user. --last-name Last name for the user.
Platform Services Controller Administration dir-cli user find-by-name Finds a user inside vmdir by name. The information that this command returns depends on what you specify in the --level option. Option Description --account Name of the vCenter Single Sign-On user to delete.
Platform Services Controller Administration dir-cli ssogroup create Create a group inside the local domain (vsphere.local by default). Use this command if you want to create groups to manage user permissions for the vCenter Single SignOn domain. For example, if you create a group and then add it to the Administrators group of the vCenter Single Sign-On domain, then all users that you add to that group have administrator permissions for the domain.
Platform Services Controller Administration Option Description --password Password of the administrator user. If you do not specify the password, you are prompted. --chain Specify this option if you are publishing a chained certificate. No option value is needed. dir-cli trustedcert unpublish Unpublishes a trusted root certificate currently in vmdir.
Platform Services Controller Administration dir-cli password create Creates a random password that meets the password requirements. This command can be used by thirdparty solution users. Option Description --login The administrator of the local vCenter Single Sign-On domain, administrator@vsphere.local by default. --password Password of the administrator user. If you do not specify the password, you are prompted.
Troubleshooting Platform Services Controller 5 The following topics provide a starting point for troubleshooting Platform Services Controller. Search this documentation center and the VMware Knowledge Base system for additional pointers.
Platform Services Controller Administration 3 Within the log file, search for the following messages. The log file contains output from all installation attempts. Locate the last message that shows Initializing registration provider... Message Cause and solution java.net.ConnectException: Connection timed out: connect The IP address is incorrect, a firewall is blocking access to vCenter Single SignOn, or vCenter Single Sign-On is overloaded.
Platform Services Controller Administration Cause Users use their user name and password to log in to the default domain. For all other domains, users must include the domain name (user@domain or DOMAIN\user). If you are using the vCenter Server Appliance, other problems might exist. Solution For all vCenter Single Sign-On deployments, you can change the default identity source. After that change, users can log in to the default identity source with user name and password only.
Platform Services Controller Administration The relevant addresses are in the answer section, as in the following example: ;; ANSWER SECTION: my-controller.my-ad.com (...) IN A controller IP address ... # dig -x The relevant addresses are in the answer section, as in the following example: ;; ANSWER SECTION: IP-in-reverse.in-addr.arpa. (...) IN PTR my-controller.my-ad.com ...
Platform Services Controller Administration VMware Directory Service Replication Can Take a Long Time If your environment includes multiple Platform Services Controller instances, and if one of the Platform Services Controller instances becomes unavailable, your environment continues to function. When the Platform Services Controller becomes available again, user data and other information are usually replicated within 60 seconds.
Platform Services Controller Administration Procedure 1 From a Web browser, connect to the Platform Services Controller management interface at https://platform_services_controller_ip:5480 2 Log in as the root user for the virtual appliance. 3 From the Actions menu, select Create Support Bundle. 4 Unless browser settings prevent an immediate download, the support bundle is saved to your local machine.
