Search the VMware Knowledge Base (KB)
View by Article ID

Configuring CA signed SSL certificates for vCenter Single Sign-On in vSphere 5.5 (2058519)

  • 67 Ratings
Language Editions

Purpose

Note: This article applies specifically to vSphere 5.5. If you are using vSphere 5.1, see Configuring CA signed SSL certificates for vCenter Server Single Sign-On in vCenter Server 5.1 (2035011). If you are using vSphere 5.0, see Implementing CA signed SSL Certificates with vSphere 5.0 (2015383).

This article guides you through the configuration of Certificate Authority (CA) certificates for the vCenter Single Sign-On service on vSphere 5.5. VMware has released a tool to automate much of the described process below. See the Replacing vCenter Certificates With the vCenter Certificate Automation Tool section of the vSphere Security Guide before performing the steps in the article. 
 
In case you are unable to use the tool, this article assists in eliminating common causes for problems during certificate implementation, including configuration steps and details, and helps avoid common misconfigurations in the implementation of custom certificates in your environment.

This article assumes that:
  • You have completely installed all of the core vSphere 5.5 components in the environment, including: 
    • vCenter Single-Sign on 
    • vCenter Server 
    • vCenter Inventory Service 
    • the vSphere Web Client
  • You have performed a backup of the entire vSphere 5.5 installation.
  • You have installed OpenSSL Version 0.9.8 on the vCenter Single Sign-On system

    Important: OpenSSL Version 0.9.8 must be used. If you do not use this version, the SSL implementation fails.

  • You have installed OpenSSL to C:\OpenSSL-Win32. If it is installed elsewhere, change the location as appropriate.

Resolution

Note: This article is part of a resolution path. Before performing the steps in this article, see Implementing CA signed SSL certificates with vSphere 5.x (2034833).

Creating CA assigned certificates for vSphere is a complex task. In many organizations it is required to maintain proper security for regulatory requirements. There are several different work flows required for successful implementation:
  • Creating the certificate request
  • Getting the certificate
  • Installation and configuration of the certificate for Single Sign-On
These steps must be followed to ensure successful implementation of a custom certificate for vCenter server. Before attempting these steps ensure that:

Installation and configuration of the certificate for vCenter SSO

After the certificate is created, perform these steps to complete the installation and configuration of the certificate.

Note: VMware recommends you take a backup of your vCenter Server before proceeding to carry out these steps.

To replace the vCenter SSO certificates:
  1. Log in to the vCenter SSO server with an administrator account.

    Notes:
    • If following Creating certificate requests and certificates for the vCenter 5.x components (2037432), all vSphere components are installed on the same server. All files should be located in C:\certs.
    • If each vSphere component is installed on separate systems rather than all inclusive, the generated files from the proceeding Steps 6 and 7 needs to be copied to each server. After completing copying, each vSphere component system has a C:\ProgramData\VMware\SSL folder containing ca_certificates.crt and a hash file.

  2. Open an elevated command prompt and enter these commands to prepare the environment. For more information on opening a command prompt, see Opening a command or shell prompt (1003892).

    C:\>SET JAVA_HOME=C:\Program Files\Common Files\VMware\VMware vCenter Server - Java Components

    C:\>SET PATH=%PATH%;C:\Program Files\VMware\Infrastructure\VMware\CIS\vmware-sso;%JAVA_HOME%\bin


    Note: The values for JAVA_HOME and PATH must not be enclosed in quotes.

  3. If present, back up the SSL directory under C:\ProgramData\VMware\. This folder must contain two files: ca_certificates.crt and hash file, 8_characters.0.
  4. Register the new root certificate into the VMware Trust Store by running the commands:

    C:\> cd OpenSSL-Win32\bin

    C:\OpenSSL-Win32\bin> openssl x509 -noout -subject_hash -in C:\certs\Root64.cer


    Notes:
    • The -in c:\certs\Root64.cer used in the following commands are for environments using only a single Root Certificate Authority server. If you are using intermediate Certificate Authority servers, you must use chain.cer that was previously generated.
    • The output includes an eight digit hexadecimal value. This value is used in Step 6. The output appears similar to:

    C:\OpenSSL-Win32\bin>openssl x509 -subject_hash -noout -in c:\certs\Root64.cer 78835296

  5. Create the new SSL directory for the SSO certificates by running the command:

    C:\> mkdir C:\ProgramData\VMware\SSL

  6. Copy the Root64.cer certificate to the SSL folder by running the command:

    C:\> copy C:\certs\Root64.cer C:\ProgramData\VMware\SSL\hash.0

    Note: From Step 4, replace hash with the eight digit hexidecimal value.

    For example:

    C:\> copy C:\certs\Root64.cer C:\ProgramData\VMware\SSL\78835296.0

  7. Copy the Root64.cer file to the SSL folder and rename it to ca_certificates.crt by running the command :

    C:\> more C:\certs\Root64.cer >> C:\ProgramData\VMware\SSL\ca_certificates.crt

  8. Use a text editor to create three separate *.properties file for each of the services replacing the items in red where appropriate. This is an example using the three services above. Ensure that the uri= URL is correct to ensure the certificates function properly.

    Note: This article uses the c:\certs directory for temporary use. The ssl=c:\certs\Root64.cer used in the following commands are for environments using only a single Root Certificate Authority server. If you are using intermediate Certificate Authority servers, use ssl=c:\certs\chain.cer previously generated.

    • gc.properties:

      [service]
      friendlyName=The group check interface of the SSO server
      version=1.5
      ownerId=
      productId=product:sso
      type=urn:sso:groupcheck
      description=The group check interface of the SSO server


      [endpoint0]
      uri=https://SSOserver.domain.com:7444/sso-adminserver/sdk/vsphere.local
      ssl=c:\certs\Root64.cer
      protocol=vmomi


    • admin.properties:

      [service]
      friendlyName=The administrative interface of the SSO server
      version=1.5
      ownerId=
      productId=product:sso
      type=urn:sso:admin
      description=The administrative interface of the SSO server

      [endpoint0]
      uri=https://SSOServer.domain.com:7444/sso-adminserver/sdk/vsphere.local
      ssl=c:\certs\Root64.cer
      protocol=vmomi


    • sts.properties:

      [service]
      friendlyName=STS for Single Sign On
      version=1.5
      ownerId=
      productId=product:sso
      type=urn:sso:sts
      description=The Security Token Service of the Single Sign On server.

      [endpoint0]
      uri=https://SSOserver.domain.com:7444/sts/STSService/vsphere.local
      ssl=c:\certs\Root64.cer
      protocol=wsTrust


  9. Run the ssolscli command to list all service entries from the Lookup Service:

    C:\Program Files\VMware\Infrastructure\VMware\CIS\vmware-sso>ssolscli.cmd listServices Lookup_Service_URL

    Note: Ensure you use the Fully Qualified Domain Name (FQDN) for the Lookup Service URL or the command fails.

    For example:

    C:\> ssolscli.cmd listServices https://WVC08.domain.local:7444/lookupservice/sdk

    You see output similar to:



  10. Locate the three SSO services from the ssolscli output.

    Note: The SSO services can be identified by looking at the type= field.

    • Group Check. urn:sso:groupcheck

      You see output similar to:



    • SSO Admin. urn:sso:admin

      You see output similar to:



    • Security Token Service (STS). urn:sso:sts

      You see output similar to:



  11. Write the serviceId= for each of the three SSO services to separate text files. You can do this by using the echo command.

    For  example:

    C:\> echo Site_Name:95f12864-d01c-4f30-ba76-1d63a8fc36ce > c:\certs\gc_id
    C:\> echo Site_Name:fe405259-0ff3-45ef-9ead-babfe3a4ea9d > c:\certs\admin_id
    C:\> echo Site_Name:443228f9-b9ab-4094-9b90-edc81f1f5c05 > c:\certs\sts_id


    Note: In the examples given, replace Site_Name with the value from viSite; in the examples above the viSite is Broomfield.

  12. Use these commands to update the three SSO services:

    Important: Update the services in this order starting with Groupcheck. Performing the updates out of order prevents SSO from starting.

    • For the Groupcheck Service, run the command:

      c:\> ssolscli updateService -d https://ssoserver.domain.com:7444/lookupservice/sdk -u administrator@vsphere.local -p SSO_administrator_password -si c:\certs\gc_id -ip c:\certs\gc.properties

    • For the Admin Service, run the command:

      c:\> ssolscli updateService -d https://ssoserver.domain.com:7444/lookupservice/sdk -u administrator@vsphere.local -p SSO_administrator_password -si c:\certs\admin_id -ip c:\certs\admin.properties

    • For the STS service, run the command:

      c:\> ssolscli updateService -d https://ssoserver.domain.com:7444/lookupservice/sdk -u administrator@vsphere.local -p SSO_administrator_password -si c:\certs\sts_id -ip c:\certs\sts.properties

  13. Open Windows Explorer and navigate to C:\ProgramData\VMware\CIS\runtime\VMwareSTS\conf .
  14. Backup the existing ssoserver.p12, ssoserver.key and ssoserver.crt files.
  15. Copy the new ssoserver.p12, ssoserver.crt and ssoserver.key files to the conf directory either using the Windows Explorer or the command line:

    C:\> copy C:\certs\SSO\ssoserver.p12 C:\ProgramData\VMware\CIS\runtime\VMwareSTS\conf\ssoserver.p12
    C:\> copy C:\certs\Root64.cer C:\ProgramData\VMware\CIS\runtime\VMwareSTS\conf\ssoserver.crt
    C:\> copy C:\certs\SSO\rui.key C:\ProgramData\VMware\CIS\runtime\VMwareSTS\conf\ssoserver.key

    Note: Root64.cer used in the commands are for environments using single Root Certificate Authority server only. If you are using intermediate Certificate Authority servers, you must use chain.cer.


  16. For the new SSL certificates to take effect, restart the VMware Secure Token Service by running the commands:

    C:\> net stop VMwareSTS
    C:\> net start VMwareSTS


    The SSL certificate for vCenter Single Sign-On (including the Group Check, the SSO Admin service, and Security Token Service) is successfully updated. Next, continue to install the custom certificates for the vCenter Inventory Service. For more information, see Configuring CA signed SSL certificates for the Inventory service in vCenter Server 5.5 (2061953).

See Also

Request a Product Feature

To request a new product feature or to provide feedback on a VMware product, please visit the Request a Product Feature page.

Feedback

  • 67 Ratings

Did this article help you?
This article resolved my issue.
This article did not resolve my issue.
This article helped but additional information was required to resolve my issue.

What can we do to improve this information? (4000 or fewer characters)




Please enter the Captcha code before clicking Submit.
  • 67 Ratings
Actions
KB: