Knowledge Base

• Creating the certificate request
• Getting the certificate
• Installation and configuration of the certificate for Single Sign on

• You have a vSphere 5.1 environment
• vCenter Server SSO has been installed and that all components configured
• You have completed the steps in Creating certificate requests and certificates for the vCenter 5.1 components (2037432).
  
  Note:  This article discusses generating the certificates and supporting files.

Installation and configuration of the certificate for vCenter SSO

1. Log in to the vCenter SSO server.
   
   Note: If you followed Creating certificate requests and certificates for the vCenter 5.1 components (2037432), all components are installed on the same server. All files should be located in C:\certs.
   
   
2. Double-click the c:\certs\Root64.cer file and import the certificate into the Trusted Root Certificate Authorities > Local Computer Windows certificate store. This ensures that the certificate server is trusted.
3. Create a new directory to store the certificates.  In this example,  the directory used is C:\ProgramData\VMware\SSOCERTS.
   
   Note:  This directory can be configured to whatever you want.
   
   
4. Copy Root64.cer file to the new directory from c:\certs.
5. Copy rui.crt, rui.key, root-trust.jks, server-identity.jks and rui.pfx from c:\certs\sso\ into this new directory. 
6. Open a terminal window on the system where Single Sign On is installed and run:
   
   SET JAVA_HOME=C:\Program Files\VMware\Infrastructure\jre
   
   
7. Run this command to list all service entries from the Lookup Service::
   
   SSO install directory\ssolscli\ssolscli.cmd listServices Lookup Service URL
   
   Where:
   •  SSO install directory is the directory in which SSO is installed (typically C:\Program Files\VMware\Infrastructure\SSOServer\)
   • Lookup Service URL is https://SSOserver.domain.com:7444/lookupservice/sdk.
     
     Note: Be sure to use the Fully Qualified Domain Name (FQDN) for the Lookup Service URL or the command will fail.
     
     The output appears similar to:
     
     
     
     
8. Locate these three services. You can identify the service by looking at the type field.
   
   
   • Group Check. This screenshot shows what the output looks like:
     
     
     
     
   • SSO Admin. This screenshot shows what the output looks like:
     
     
     
     
   • Security Token Service (STS). This screenshot shows what the output looks like:
     
     
     
     
9. Use a text editor to create three separate properties file for each of the services replacing the items in red where appropriate. This is an example using the three services above. Please make sure the uri= URL is correct to ensure the certificates function properly.
   
   Note: This article uses the c:\certs directory for temporary use.
   
   
   • gc.properties:
     
     [service]
     friendlyName=The group check interface of the SSO server
     version=1.0
     ownerId=
     type=urn:sso:groupcheck
     description=The group check interface of the SSO server
     
     [endpoint0]
     uri=https://SSOserver.domain.com:7444/sso-adminserver/sdk
     ssl=C:\ProgramData\VMware\SSOCERTS\Root64.cer
     protocol=vmomi
     
     
   • admin.properties:
     
     [service]
     friendlyName=The administrative interface of the SSO server
     version=1.0
     ownerId=
     type=urn:sso:admin
     description=The administrative interface of the SSO server
     
     [endpoint0]
     uri=https://SSOServer.domain.com:7444/sso-adminserver/sdk
     ssl=C:\ProgramData\VMware\SSOCERTS\Root64.cer
     protocol=vmomi
     
     
   • sts.properties:
     
     [service]
     friendlyName=STS for Single Sign On
     version=1.0
     ownerId=
     type=urn:sso:sts
     description=The Security Token Service of the Single Sign On server.
     
     [endpoint0]
     uri=https://SSOserver.domain.com:7444/ims/STSService
     ssl=C:\ProgramData\VMware\SSOCERTS\Root64.cer
     protocol=wsTrust
     
     
10. Locate the service ID for each of the three services in the list you generated in Step 8. The service ID is located in the serviceId field of the service listing. 
11. Use a text editor to create a separate service ID file for each of the three services. Using the example here, the three service ID files look like:
    
    
    • gc_id:
      
      
      
      
    • admin_id:
      
      
      
      
    • sts_id:
      
      
      
      Note: The file must not contain any other data.
      
      
12. Open the Services applet and stop the vCenter Single Sign On service.
13. Navigate to the <SSO Install directory>\security.  By default this is C:\Program Files\VMware\Infrastructure\SSOServer.
14. Backup root-trust.jks and server-identity.jks.
15. Copy the new root-trust.jks and server-identity.jks. These will be located in the C:\ProgramData\VMware\SSOCERTS folder if following this article.
16. Update Single Sign On with the new keystore using the command:
    
    Note: This command uses the example directory structure used in this article. 
    
    <SSO install directory>\utils\ssocli configure-riat -a configure-ssl --keystore-file C:\ProgramData\VMware\SSOCERTS\root-trust.jks --keystore-password testpassword
    
    Where --keystore-file is the path to the JKS file. 
    
    Note: Ensure that the JAVA_HOME variable is still set from above to SET JAVA_HOME=C:\Program Files\VMware\Infrastructure\jre.
    
    
17. You are prompted to enter the master password that was configured during the installation of vCenter SSO. This is the output if the password is correct:
    
    C:\Program Files\VMware\Infrastructure\SSOServer\utils>ssocli configure-riat -a configure-ssl --keystore-file c:\ProgramData\VMware\SSOCERTS\root-trust.jks --keystore-password testpassword
    Enter master password: ********
    
    Executing action: 'configure-ssl'
    
    Updating SSL configuration
    
    Successfully executed Action: 'configure-ssl'
    
    C:\Program Files\VMware\Infrastructure\SSOServer\utils>
    
    
18. Start the vCenter Single Sign On service from the Services applet. You can validate that the certificate is correct by going to the this URL in a browser https://<ssoserver.domain.com>:7444/sso-adminserver/sdk.
    
    Note: An XML error displays. However, the certificate can be checked from the interface.
    
    
19. The following commands will apply the new certificates to the three services
    
    
    • For the STS service, run the command:
      
      SSO install directory\ssolscli\ssolscli updateService -d https://ssoserver.domain.com:7444/lookupservice/sdk -u SSO administrator -p SSO administrator password -si c:\certs\sts_id -ip c:\certs\sts.properties
      
      
    • For the GC Service, run the command:
      
      SSO install directory\ssolscli\ssolscli updateService -d https://ssoserver.domain.com:7444/lookupservice/sdk -u SSO administrator -p SSO administrator password -si c:\certs\gc_id -ip c:\certs\gc.properties
      
      
    • For the Admin Service, run the command:
      
      SSO install directory\ssolscli\ssolscli updateService -d https://ssoserver.domain.com:7444/lookupservice/sdk -u SSO administrator -p SSO administrator password -si c:\certs\admin_id -ip c:\certs\admin.properties
      
      The output appears similar to:
      
      Note: This is an example of the output for the STS Service.
      
      
      
      If you do not see a successful Return code, the process was not successful.
      
      
20. Repeat Step 7 to list the three services again and validate that they are correct. If you see OperationFailed as a return code, there is a problem with the certificate installation.
21. Copy the root certificate from the certification authority to the VMware SSL directory. If you are following this resolution path, you would copy the C:\certs\Root64.cer file to C:\ProgramData\VMware\SSL\. This certificate is the root certificate for the certification authority which is being used.
22. Rename the current ca_certificates.crt to ca_certificates.bak.
23. Copy and rename Root64.cer to ca_certificates.crt.
24. To compute the hash, run:
    
    openssl x509 -subject_hash -noout -in c:\certs\Root64.cer
    
    This appears similar to:
    
    
    
    Important: the hash must be created with OpenSSL v0.9.8 as this is the version which vCenter uses. If created with another version the hash may not be correct.
    
    
25. Create a file named <hash>.0. In this example, the file would be 78835296.0.
26. Open the Root64.cer in notepad and copy the contents into the <hash>.0 file and save it.
27. Repeat this for any other intermediary certificate authorities. In this example, there is only a single authority, so there is only one file.  However if there are intermediate certificate authorities there will be a file for each intermediate authority with the content of the intermediate certificate in the file.
28. If using intermediate certificate authorities, you also need to append each certificate authority to the ca_certificates.crt file.  To do this run:
    
    more <intermediateCA>.cer >> ca_certificates.crt
    
    Where <intermediateCA> is the certificate for the intermediate CA. Repeat this step for each intermediate CA which is in the certificate chain.
    
29. Log into the vSphere Web Client as admin@system-domain.
30. Navigate to Administration > Sign-On and Discovery > Configuration, then click the STS Certificate tab.
31. Click Edit.
32. Click Browse.
33. Navigate to the SSO Security Directory and select root-trust.jks. By default, this directory is located at:
    
    C:\Program Files\VMware\Infrastructure\SSOServer\Security\
    
    
34. When prompted, enter testpassword as the password and click OK. The rui key chain is shown in the interface.
35. Select rui.
36. Click OK.
37. When prompted for the password, enter testpassword.
    
    Note: Ensure to enter only testpassword as the pasword.
    
    Another chain is added, and the certificate is available in the GUI.
    
    Note: If you encounter the error message An error occurred while updating server configuration, this may indicate that the certificate chain was not fully exported. For more information , see step 20 in the Getting the certificate section in Creating certificate requests and certificates for vCenter Server 5.1 components (2037432), which outlines steps to export and concatenate multiple certificates.
    
    Note:  Alternatively, to adding it through the GUI, you can add the JKS file by running the following command line command:  ssocli.cmd configure-riat -a configure-sts --keystore-file "C:\Program Files\VMware\Infrastructure\SSOServer\Security\root-trust.jks" --keystore-type JKS --keystore-password testpassword -u admin -p <master password>
    
    
38. If you have all services on the same server, restart the server for the changes to take effect. If they are not on separate servers or you cannot restart the server, stop and start the services in this order:
    
    
    • Stop the VMware Log Browser service.
    • Stop the VMware vSphere Web Client service.
    • Stop the VMware VirtualCenter Server service.
    • Stop the VMware vCenter Inventory service.
    • Start the VMware vCenter Inventory service.
    • Start the VMware VirtualCenter Server service and the VMware VirtualCenter Management WebServices service
    • Start the VMware vSphere Web Client service.
    • Start the VMware Log Browser service.
    
    
39. Wait until all the services are started. Usually, this takes around 5 minutes.