VMware Identity Manager self signed certificate gives a HSTS message
Article ID: 343444
Updated On:
Products
VMware
VMware Aria Suite
Issue/Introduction
Symptoms:
- Unable to configure a VMware Identity Manager appliance, browsers returns an error related to self-signed certificate and you can not proceed.
- Configuration of appliance fails due to HSTS (HTTP Strict Transport Security) browser settings.
Environment
VMware vRealize Automation 7.0.x
VMware vRealize Automation 6.2.x
VMware Identity Manager 2.x
VMware vRealize Automation 7.1.x
VMware vRealize Automation 6.2.x
VMware Identity Manager 2.x
VMware vRealize Automation 7.1.x
Cause
This issue occurs due the default HSTS features enabled in modern client browsers and navigating to a web site with self-signed certificates. The HSTS does not trust the appliances default created self signed certificate as it is not part of the well known CA (Certificate Authorities).
Resolution
VMware recommends certifying all web interfaces on VMware Identity Manager
Option 1:
Replace the self-signed certificates with a public CA signed certificate that contains the fully qualified domain name of the VA hostname in the Subject Alternative Name field.
If you are presented with HSTS warnings within your client browser when accessing any web interface, it is recommended to secure the virtual appliances with publicly trusted certificates. Several public CAs offer free automatically renewable certificates.
To bypass this warning type thisisunsafe anywhere in the warning page of Edge or Chrome. This should allow the web interface to load.
This will then allow you the ability to update the certificates utilizing the standard process :
Updating Certificates for vIDM services (2961623)
See Installing an SSL Certificate for the VMware Identity Manager Service for additional data.
Option 2:
Turn off the HSTS settings on the browser temporarily.
Option 1:
Replace the self-signed certificates with a public CA signed certificate that contains the fully qualified domain name of the VA hostname in the Subject Alternative Name field.
If you are presented with HSTS warnings within your client browser when accessing any web interface, it is recommended to secure the virtual appliances with publicly trusted certificates. Several public CAs offer free automatically renewable certificates.
To bypass this warning type thisisunsafe anywhere in the warning page of Edge or Chrome. This should allow the web interface to load.
This will then allow you the ability to update the certificates utilizing the standard process :
Updating Certificates for vIDM services (2961623)
See Installing an SSL Certificate for the VMware Identity Manager Service for additional data.
Option 2:
Turn off the HSTS settings on the browser temporarily.
Note: This solution is meant to work for Chrome browsers. Each browser has own method to turn off the HSTS feature. Note, this should be considered a temporary solution with Option 1 as the primary fix.
Chrome:
Chrome:
- Open a Chrome browser.
- Type chrome://net-internals/#hsts in the address bar of the browser and press Enter.
- Under the Delete domain enter the FQDN of the appliance.
- Click Delete.
- Microsoft Edge is a Chromium based browser and can be configured with
edge://net-internals/#hsts
Feedback
Yes
No
Powered by
