Using the CLI to add or configure SSO identity sources in vSphere 6.5 and above
search cancel

Using the CLI to add or configure SSO identity sources in vSphere 6.5 and above

book

Article ID: 319662

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

This article outlines how to update and use the sso-config.sh script on all versions of the vCenter Server Appliance 6.5 and 6.7.
For instructions on adding and configuring identity sources from the CLI in vSphere 5.5 and 6.0, reference Adding an Integrated Active Directory (IWA) Identity Source without the vSphere Web Client for vSphere 5.5/6.0
VMware strongly advises customers use the UI methods to configure identity sources. This CLI is intended for customers with special requirements where the normal UI is impractical. 

Symptoms:
  • Unable to configure identity sources in vSphere 6.5 and above using the command line interface.
  • The sso-add-native-ad-idp.sh script, which was available in vSphere  5.5 and 6.0 no longer exists.


Environment

VMware vCenter Server 7.0.x
VMware vCenter Server Appliance 6.5.x
VMware vCenter Server Appliance 6.7.x

Cause

In the vSphere 5.5/6.0 time frame, a set of custom scripts were created to provide the functionality of adding and configuring SSO identity sources. These scripts were removed along with the deprecation of the vmidentity migration tool, from which the scripts were derived.

Resolution

To update the sso-config.sh script on vSphere 6.5 and 6.7, the vmware-identity-sso-config.jar file on the PSC must be replaced with the one made available through this KB article. This file will be overwritten during patching of the PSC, and the process will need to be repeated if configuration of identity source via the command line is desired again.

Note: Starting version 7.0, this functionality is added as default and the users will not need to use the attached file.

vSphere 6.5 & 6.7

Download the vmware-identity-sso-config.jar file located in the attachments section of this KB article and move it to the appliance. 
For instructions on using WinSCP to upload files to the PSC, reference the article, Error when uploading files to vCenter Server Appliance using WinSCP

Once uploaded, replace the existing jar file:

  1. Log into the PSC or embedded system.
  2. Navigate to /opt/vmware/lib64
  3. Create a backup of the existing vmware-identity-sso-config.jar file to the root directory
cp /opt/vmware/lib64/vmware-identity-sso-config.jar /vmware-identity-sso-config.jar.bak
  1. Replace the existing vmware-identity-sso-config.jar file with the one downloaded from this KB article.
  2. If the chmod mask of the vmware-identity-sso-config.jar is not -rw-r--r--, update it with this command
chmod u+rw,g+r,o+r vmware-identity-sso-config.jar
  1. Validate that the command is functioning by running sso-config.sh

NOTE: Do not leave the original vmware-identity-sso-config.jar file in the /opt/vmware/lib64/ directory with a .jar extension, even if it has been renamed. This will cause namespace issues within java.
 

Usage

The commands below are only examples. Portions which are highlighted in RED denote variables that must be changed to match your desired configuration.
 

View current configured identity sources

sso-config.sh -get_identity_sources
 

Remove configured identity sources

sso-config.sh -delete_identity_source -i identityStoreName
 

Adding Active Directory (Windows Integrated Authentication)

Using this command, vSphere will connect with and use current domain that it is joined with as an Identity Source. vSphere needs to be joined to the AD domain prior to this operation.

sso-config.sh -add_identity_source -type nativead -domain domain.example
 

Adding AD over LDAP

Using this command, we can add AD over LDAP as an Identity Source. The information provided will describe a given AD to vSphere. For this operation, vSphere does not need to be joined to the domain.

This command illustrates adding the identity source with only a primary domain controller

sso-config.sh -add_identity_source -type adldap -baseUserDN "CN=Users,DC=domain,DC=example" -baseGroupDN "CN=Groups,DC=domain,DC=example" -domain "domain.example" -alias "DOMAIN" -username "CN=Administrator,CN=Users,DC=domain,DC=example" -password 'password' -primaryURL "ldap://dc.domain.example:389"

This variation illustrates the use of specifying a primary and a secondary domain controller

sso-config.sh -add_identity_source -type adldap -baseUserDN "CN=Users,DC=domain,DC=example" -baseGroupDN "CN=Groups,DC=domain,DC=example" -domain "domain.example" -alias "DOMAIN" -username "CN=Administrator,CN=Users,DC=domain,DC=example" -password 'password' -primaryURL "ldap://dc.domain.example:389" -secondaryURL "ldap://dc2.domain.example:389"
 

Adding AD over LDAP using LDAPS (LDAP over SSL)

This command illustrates the use of specifying a domain or FQDN, but connecting to it over a secure connection. For secure connection to work, a public key or SSL certificate from AD needs to be provided in the command. It can be the individual SSL certificate for each DC server, or a global certificate to which all individual SSL certs chain up to. The -sslCert argument is a comma separated list of paths to individual cer files.

sso-config.sh -add_identity_source -type adldap -baseUserDN "CN=Users,DC=domain,DC=example" -baseGroupDN "CN=Groups,DC=domain,DC=example" -domain "domain.exmaple" -alias "DOMAIN" -username "CN=administrator,CN=users,DC=domain,DC=example" -password 'password' -primaryURL "ldaps://dc2.domain.example:636" -useSSL true -sslCert ~/dc2.domain.example.cer,~/dc1.domain.example.cer
 

Adding Open LDAP

Using this command, we can add Open LDAP as an Identity Source. The information provided will describe a LDAP directory to vSphere.

sso-config.sh -add_identity_source -type openldap -baseUserDN "ou=people,dc=domain,dc=example" -baseGroupDN "ou=groups,dc=domain,dc=example" -domain "domain.example" -alias "DOMAIN" -username "cn=ldapuser1,ou=people,dc=domain,dc=example" -password 'password' -primaryURL "ldap://server.domain.exmaple:389"

 


Additional Information

Note: All of the commands have an optional parameter of [-t <tenantName>], which is not included in any of the examples. The tenant argument is required if multiple tenants have been configured. If tenant is not provided, the default value of tenant:vsphere.local is used.

Please be aware that using the new commands to add and configure SSO identity sources on a vSphere 6.5 and 6.7 system will work without issues, but there is limited support for using all other aspects of this version of sso-config in all other scenarios. Specifically, use original version of sso-config tool included with the installation when executing the following commands.

6.5
set_rsa_userid_attr_map
set_tc_cert_authn
get_cert_link_opts
set_cert_link_opts

6.7
set_rsa_userid_attr_map

Impact/Risks:
Note: This scenario requires you to SSH into the vCenter Appliance – a practice that VMware generally discourages because it creates security and appliance integrity risks. While VMware supports the use of this script, improper use can cause catastrophic impact to the vCenter. Customers are responsible for proper use of the tool, controlling login access to VCSA, and ensuring backups are taken before any action.

Ensure a working backup of the appliance is taken before executing these steps.

Attachments

vmware-identity-sso-config.jar get_app
Powered by Wolken Software