Smart Card and RSA SecurID Authentication stops after upgrading to vCenter Server 7.0
Article ID: 337816
Updated On:
Products
VMware
VMware vCenter Server
Issue/Introduction
This article describes how to handle smart card or RSA SecurID authentication when upgrading to vCenter Server 7.0.
Symptoms:
There are two primary symptoms of this issue:
RSA SecurID authentication may stop workking. RSA SecurID settings may not be preserved, and RSA SecurID authentication may stop working.
Symptoms:
There are two primary symptoms of this issue:
- During the upgrade process, you are see:
Smart card authentication may stop workking. Smart card settings may not be preserved, and smart card authentication may stop working.
or
or
RSA SecurID authentication may stop workking. RSA SecurID settings may not be preserved, and RSA SecurID authentication may stop working.
- After upgrading, smart card or RSA SecurID authentication stops working and authentication to vCenter Server 7.0 fails with these authentication methods.
Environment
VMware vCenter Server 7.0.x
VMware Tools 11.x
VMware Tools 11.x
Cause
During upgrade to vCenter Server 7.0, some configuration files may not be copied from the source vCenter Server or Platform Service Controller machine to the new vCenter Server 7.0 appliance. If this occurs, these authentication methods will stop working when the upgrade is completed. When this issue occurs, it will not prevent upgrade to vCenter Server 7.0 but will result in inability to log in with smart card or RSA SecurID once the upgrade is complete.
Resolution
VMware is aware of this issue and are working on a permanent solution. At this time, review the "Workaround" section below.
Workaround:
After upgrade to the new vCenter Server 7.0 appliance is complete, it is necessary to configure smart card or RSA SecurID.
Example:
<http>
<!-- Num of max proxy connections -->
<maxConnections> 2048 </maxConnections>
<requestClientCertificate>true</requestClientCertificate>
<!-- CA file, needed to scan all certificates in it and list them as acceptable CAs: -->
<clientCAListFile>/usr/lib/vmware-sso/vmware-sts/conf/clienttrustCA.pem</clientCAListFile>
<!-- Maximum size of a client certificate in case it is requested. -->
<clientCertificateMaxSize>4096</clientCertificateMaxSize>
</http>
The settings present on the pre-upgraded system at either /etc/vmware-rhttpproxy/conf.xml OR C:\ProgramData\VMware\vCenterServer\cfg\vmware-rhttpproxy\config.xml along with the file listed in tag <clientCAListFile> could be used on the newly upgraded appliance.
In the above example, the file /usr/lib/vmware-sso/vmware-sts/conf/clienttrustCA.pem needs to be copied to the newly upgraded appliance.
See Set Up RSA SecurID Authentication .
The file sdconf.rec (required for configuring RSA SecurID) can be recovered from the pre-upgraded system at either /etc/vmware-sso/<tenant>/sdconf.rec or on Windows at %VMWARE_CFG_DIR%\sso\<tenant>\sdconf.rec. Assuming product defaults (tenant is vsphere.local, installed to C:\) then the appliance location would be /etc/vmware-sso/vsphere.local/sdconf.rec and on Windows at C:\ProgramData\VMware\vCenterServer\cfg\sso\vsphere.local\sdconf.rec
Workaround:
After upgrade to the new vCenter Server 7.0 appliance is complete, it is necessary to configure smart card or RSA SecurID.
Smart Card
The XML element beginning with tag <http> in the Reverse Proxy configuration file (/etc/vmware-rhttpproxy/conf.xml) needs to be configured to request the client certificate. See Configure the Reverse Proxy to Request Client Certificates .Example:
<http>
<!-- Num of max proxy connections -->
<maxConnections> 2048 </maxConnections>
<requestClientCertificate>true</requestClientCertificate>
<!-- CA file, needed to scan all certificates in it and list them as acceptable CAs: -->
<clientCAListFile>/usr/lib/vmware-sso/vmware-sts/conf/clienttrustCA.pem</clientCAListFile>
<!-- Maximum size of a client certificate in case it is requested. -->
<clientCertificateMaxSize>4096</clientCertificateMaxSize>
</http>
The settings present on the pre-upgraded system at either /etc/vmware-rhttpproxy/conf.xml OR C:\ProgramData\VMware\vCenterServer\cfg\vmware-rhttpproxy\config.xml along with the file listed in tag <clientCAListFile> could be used on the newly upgraded appliance.
In the above example, the file /usr/lib/vmware-sso/vmware-sts/conf/clienttrustCA.pem needs to be copied to the newly upgraded appliance.
RSA SecurID
Multiple site IDs were possibly present before the upgrade or additional site IDs were created as part of the upgrade leading to the newly upgraded appliance being part of a site that is not configured for RSA SecurID.See Set Up RSA SecurID Authentication .
The file sdconf.rec (required for configuring RSA SecurID) can be recovered from the pre-upgraded system at either /etc/vmware-sso/<tenant>/sdconf.rec or on Windows at %VMWARE_CFG_DIR%\sso\<tenant>\sdconf.rec. Assuming product defaults (tenant is vsphere.local, installed to C:\) then the appliance location would be /etc/vmware-sso/vsphere.local/sdconf.rec and on Windows at C:\ProgramData\VMware\vCenterServer\cfg\sso\vsphere.local\sdconf.rec
Feedback
Yes
No
Powered by
