Enabling Certificate Validation on LDAPS Identity Sources with vSphere 6.0 Update 1 and vSphere 5.5 Update 3
Article ID: 343735
Updated On:
Products
VMware vCenter Server
Issue/Introduction
This article provides guidance on verifying and enabling TLS certificate validation on Secure LDAP (LDAPS) identity sources, including Active Directory over LDAP and OpenLDAP, on the Identity Management (IDM) services with the Platform Services Controller in vSphere 6.0 Update 1 and vCenter Single Sign-On in vSphere 5.5 Update 3. By default, IDM disables TLS certificate validation on secure LDAP connections.
Environment
VMware vCenter Server Appliance 6.0.x
VMware vCenter Server 6.0.x
VMware vCenter Server Appliance 5.5.x
VMware vCenter Server 5.5.x
VMware vCenter Server 6.0.x
VMware vCenter Server Appliance 5.5.x
VMware vCenter Server 5.5.x
Resolution
To verify and enable TLS certificate validation on Secure LDAP (LDAPS) identity sources, perform these steps:
For vSphere 6.0:
For the Platform Services Controller Appliance 6.0 or vCenter Server with Embedded Platform Services Controller 6.0:
- Connect to the vCenter Server Appliance using a console connection or SSH session.
- Provide the root user user name and password when prompted.
- Run this command to enable the Bash shell:
shell.set --enable True - Run this command to access the Bash shell:
shell - In the Bash shell, run this command to validate if any LDAPS identity sources are not utilizing the proper SSL certificate for their connections:
/opt/vmware/bin/sso-config.sh -check_ldaps_cert_validation
This will output a status report of your LDAPS identity source.
For example:
********** IDENTITY SOURCE CONNECTION LDAPS INFORMATION FOR vsphere.local **********
****** TOTAL: 1, FAILED: 1 ******
If any of the identity sources report as failed, edit the identity source and provide it with an updated SSL certificate from the Domain Controller. For more information, see the Edit a vCenter Single Sign-On Identity Source section of the vSphere Security guide. If an identity source is not updated with the proper certificate after enabling certificate validation, this will result in the identity source failing to function. - After confirming that all LDAPS identity sources are reporting successful (no failures) with the above command, create the new Likewise registry key for LDAPS validation by running the following command:
/opt/likewise/bin/lwregshell add_value '[HKEY_THIS_MACHINE\Software\VMware\Identity\Configuration]' LdapsCertValidation REG_SZ true - Enable the LDAPS validation key by running this command:
/opt/likewise/bin/lwregshell set_value '[HKEY_THIS_MACHINE\Software\VMware\Identity\Configuration]' LdapsCertValidation true
For the Platform Services Controller or vCenter Server with Embedded Platform Services Controller 6.0 for Windows:
- Remote Desktop into the Windows Server.
- Open an administrative command prompt.
- Run this command to validate if any LDAPS identity sources are not utilizing the proper SSL certificate for their connections:
"%VMWARE_CIS_HOME%\VMware Identity Services"\sso-config.bat -check_ldaps_cert_validation
This will output a status report of your LDAPS identity source.
For example:
********** IDENTITY SOURCE CONNECTION LDAPS INFORMATION FOR vsphere.local **********
****** TOTAL: 1, FAILED: 1 ******
If any of the identity sources report as failed, edit the identity source and provide it with an updated SSL certificate from the Domain Controller. For more information, see Edit a vCenter Single Sign-On Identity Source section of the vSphere Security guide. If an identity source is not updated with the proper certificate after enabling certificate validation, this will result in the identity source failing to function. - Create and enable the LDAPS validation Windows Registry key by running this command:
reg add HKLM\Software\VMware\Identity\Configuration /v LdapsCertValidation /t REG_SZ /d true
This should output:
The operation completed successfully.
For vSphere 5.5:
For the vCenter Server Appliance 5.5.x:
- Connect to the vCenter Server Appliance using a console connection or SSH session.
- Provide the root user user name and password when prompted.
- In the Bash shell, run this command to validate if any LDAPS identity sources are not utilizing the proper SSL certificate for their connections:
/opt/vmware/bin/sso-config.sh -check_ldaps_cert_validation
This will output a status report of your LDAPS identity source.
For example:
********** IDENTITY SOURCE CONNECTION LDAPS INFORMATION FOR vsphere.local **********
****** TOTAL: 1, FAILED: 1 ******
If any of the identity sources report as failed, edit the identity source and provide it with an updated SSL certificate from the Domain Controller. For more information, see Edit a vCenter Single Sign-On Identity Source section of the vSphere Security guide. If an identity source is not updated with the proper certificate after enabling certificate validation, this will result in the identity source failing to function. - After confirming that all LDAPS identity sources are reporting successful (no failures) with the above command, create the new Likewise registry key for LDAPS validation by running this command:
/opt/likewise/bin/lwregshell add_value '[HKEY_THIS_MACHINE\Software\VMware\Identity\Configuration]' LdapsCertValidation REG_SZ true - Enable the LDAPS validation key by running this command:
/opt/likewise/bin/lwregshell set_value '[HKEY_THIS_MACHINE\Software\VMware\Identity\Configuration]' LdapsCertValidation true
For vCenter Single Sign-On 5.5 for Windows:
- Remote Desktop into the Windows Server.
- Open an administrative command prompt.
- Run this command to validate if any LDAPS identity sources are not utilizing the proper SSL certificate for their connections:
"%VMWARE_CIS_HOME%\VMware Identity Services"\sso-config.bat -check_ldaps_cert_validation
This will output a status report of your LDAPS identity source.
For example:
********** IDENTITY SOURCE CONNECTION LDAPS INFORMATION FOR vsphere.local **********
****** TOTAL: 1, FAILED: 1 ******
If any of the identity sources report as failed, edit the identity source and provide it with an updated SSL certificate from the Domain Controller. For more information, see Edit a vCenter Single Sign-On Identity Source section of the vSphere Security guide. If an identity source is not updated with the proper certificate after enabling certificate validation, this will result in the identity source ceasing to work. - Create and enable the LDAPS validation Windows Registry key by running this command:
reg add HKLM\Software\VMware\Identity\Configuration /v LdapsCertValidation /t REG_SZ /d true
This should output:
The operation completed successfully.
Additional Information
Feedback
Yes
No
Powered by
