To verify and enable TLS certificate validation on Secure LDAP (LDAPS) identity sources, perform these steps:
For vSphere 6.0:
For the Platform Services Controller Appliance 6.0 or vCenter Server with Embedded Platform Services Controller 6.0:
- Connect to the vCenter Server Appliance using a console connection or SSH session.
- Provide the root user user name and password when prompted.
- Run this command to enable the Bash shell:
shell.set --enable True
- Run this command to access the Bash shell:
shell
- In the Bash shell, run this command to validate if any LDAPS identity sources are not utilizing the proper SSL certificate for their connections:
/opt/vmware/bin/sso-config.sh -check_ldaps_cert_validation
This will output a status report of your LDAPS identity source.
For example:
********** IDENTITY SOURCE CONNECTION LDAPS INFORMATION FOR vsphere.local **********
****** TOTAL: 1, FAILED: 1 ******
If any of the identity sources report as failed, edit the identity source and provide it with an updated SSL certificate from the Domain Controller. For more information, see the Edit a vCenter Single Sign-On Identity Source section of the vSphere Security guide. If an identity source is not updated with the proper certificate after enabling certificate validation, this will result in the identity source failing to function.
- After confirming that all LDAPS identity sources are reporting successful (no failures) with the above command, create the new Likewise registry key for LDAPS validation by running the following command:
/opt/likewise/bin/lwregshell add_value '[HKEY_THIS_MACHINE\Software\VMware\Identity\Configuration]' LdapsCertValidation REG_SZ true
- Enable the LDAPS validation key by running this command:
/opt/likewise/bin/lwregshell set_value '[HKEY_THIS_MACHINE\Software\VMware\Identity\Configuration]' LdapsCertValidation true
For the Platform Services Controller or vCenter Server with Embedded Platform Services Controller 6.0 for Windows:
- Remote Desktop into the Windows Server.
- Open an administrative command prompt.
- Run this command to validate if any LDAPS identity sources are not utilizing the proper SSL certificate for their connections:
"%VMWARE_CIS_HOME%\VMware Identity Services"\sso-config.bat -check_ldaps_cert_validation
This will output a status report of your LDAPS identity source.
For example:
********** IDENTITY SOURCE CONNECTION LDAPS INFORMATION FOR vsphere.local **********
****** TOTAL: 1, FAILED: 1 ******
If any of the identity sources report as failed, edit the identity source and provide it with an updated SSL certificate from the Domain Controller. For more information, see Edit a vCenter Single Sign-On Identity Source section of the vSphere Security guide. If an identity source is not updated with the proper certificate after enabling certificate validation, this will result in the identity source failing to function.
- Create and enable the LDAPS validation Windows Registry key by running this command:
reg add HKLM\Software\VMware\Identity\Configuration /v LdapsCertValidation /t REG_SZ /d true
This should output:
The operation completed successfully.
For vSphere 5.5:
For the vCenter Server Appliance 5.5.x:
- Connect to the vCenter Server Appliance using a console connection or SSH session.
- Provide the root user user name and password when prompted.
- In the Bash shell, run this command to validate if any LDAPS identity sources are not utilizing the proper SSL certificate for their connections:
/opt/vmware/bin/sso-config.sh -check_ldaps_cert_validation
This will output a status report of your LDAPS identity source.
For example:
********** IDENTITY SOURCE CONNECTION LDAPS INFORMATION FOR vsphere.local **********
****** TOTAL: 1, FAILED: 1 ******
If any of the identity sources report as failed, edit the identity source and provide it with an updated SSL certificate from the Domain Controller. For more information, see Edit a vCenter Single Sign-On Identity Source section of the vSphere Security guide. If an identity source is not updated with the proper certificate after enabling certificate validation, this will result in the identity source failing to function.
- After confirming that all LDAPS identity sources are reporting successful (no failures) with the above command, create the new Likewise registry key for LDAPS validation by running this command:
/opt/likewise/bin/lwregshell add_value '[HKEY_THIS_MACHINE\Software\VMware\Identity\Configuration]' LdapsCertValidation REG_SZ true
- Enable the LDAPS validation key by running this command:
/opt/likewise/bin/lwregshell set_value '[HKEY_THIS_MACHINE\Software\VMware\Identity\Configuration]' LdapsCertValidation true
For vCenter Single Sign-On 5.5 for Windows:
- Remote Desktop into the Windows Server.
- Open an administrative command prompt.
- Run this command to validate if any LDAPS identity sources are not utilizing the proper SSL certificate for their connections:
"%VMWARE_CIS_HOME%\VMware Identity Services"\sso-config.bat -check_ldaps_cert_validation
This will output a status report of your LDAPS identity source.
For example:
********** IDENTITY SOURCE CONNECTION LDAPS INFORMATION FOR vsphere.local **********
****** TOTAL: 1, FAILED: 1 ******
If any of the identity sources report as failed, edit the identity source and provide it with an updated SSL certificate from the Domain Controller. For more information, see Edit a vCenter Single Sign-On Identity Source section of the vSphere Security guide. If an identity source is not updated with the proper certificate after enabling certificate validation, this will result in the identity source ceasing to work.
- Create and enable the LDAPS validation Windows Registry key by running this command:
reg add HKLM\Software\VMware\Identity\Configuration /v LdapsCertValidation /t REG_SZ /d true
This should output:
The operation completed successfully.