Search the VMware Knowledge Base (KB)
View by Article ID

Understanding vCenter Single Sign-On (SSO) command line options (2038826)

  • 1 Ratings


The vCenter Single Sign-On (SSO) server can be managed via the vSphere Web Client. However, there is a command line option available should you need to troubleshoot/configure SSO without the vSphere Web Client.

This article provides a reference for all of the available command line options for the Single Sign-On server.


The rsautil command is used to troubleshoot Single Sign-On, and is located in:
  • For Windows: C:\Program Files\VMware\Infrastructure\SSOServer\utils
  • For Linux: /usr/lib/vmware-sso/utils

rsautil argument

  • -h,-? --help - Display rsautil options in the command line
  • -v --version - Display the product version
  • -S --script-exit - exit with an error code to facilitate scripting
  • -X --debug - Display value of environment variables (RSA_IMS_HOME, JAVA_HOME, etc.)
  • -g --generate-classpath - generate classpath.jar with classpath manifest to locate third-party JAR files
  • -l --list - Display a list of available command line utilities
Running the rsautil command with the -l option displays these command line utilities:
  • configure-riat - Install and configuration utility
  • manage-identity-sources - Manage identity sources
  • manage-oc-administrators - Manage users
  • manage-secrets - Manage secrets
  • reset-admin-password - Reset administrator password

Configuring RIAT


rsautil configure-riat argument

  • -h, --help - Display help and exit. If -a/--action argument is specified, the usage for the specified action is printed
  • -X, --debug - Log verbose messages in the log file
  • -S, --script-mode - Do not prompt for missing passwords
  • -s, --silent - Do not print progress messages to the console
  • -v, --version - Display the version and copyright information
  • -a, --action - Actions include:
    • install - Install and configure RIAT
    • uninstall - Uninstall RIAT
    • configure-db - Update server database connection settings
    • configure-ssl - Update server SSL settings
    • configure-sts - Update security token service (STS) settings
    • discover-is - Discover identity source(s) (Windows only)
    • user-cert - Generate or update user's certificate
    • create-instance-pkg - Create package for installing new RIAT instance
Note: This utility does not prompt for missing arguments except for passwords.

Managing identity sources


rsautil manage-identity-sources -a action[-u username [-p password]]

  • -h, --help - Display help
  • -X, --debug - Display debug messages
  • -v, --version - Display the version and copyright information
  • -S, --script-mode - Do not prompt for missing arguments, just fail
  • -u, --user - Super administrator's user name entered without @system-domain.
  • -p, --password - Super administrator's password
  • -a, --action - Must be present and one of:

    • create - Create a new identity source

      create arguments:
      • -r, --url - Primary URL for create action
      • -f, --failover-url - Optional failover URL for create action
      • -L, --ldap-user - Optional LDAP account user name. For Active Directory, specify the user in user@domain format
      • -P, --ldap-password - Optional LDAP administrative account password
      • -d, --domain - Fully qualified domain name associated with this identity source for create action
      • -l, --alias - Optional alias associated with this identity source for create action
      • --principal-base-dn - Optional principal base DN. (Needed if group base DN is specified) Default: Discovered
      • --group-base-dn - Optional group base DN. (Needed if principal base DN is specified) Default: Discovered
      • --cert-path - Optional root CA certificate path for SSL connections. Default: Discovered (Active Directory)
      • --ldap-port - Optional for SSL connections. Non-SSL port if different from standard (389). Used for root CA certificate discovery (Active Directory)
      • --use-gssapi - Optional and only relevant to Active Directory. If specified Connection to AD will use Gssapi. Default to false.
      • --open-ldap - Optional and only relevant to ldap server. If specified the identity source type is open ldap. Otherwise is Active Directory if --url start with "ldap". Default to false.

    • delete - Delete an existing identity source

      delete argument:
      • -g, --guid - GUID of Identity Source for delete action

    • list - Display all identity sources

Managing OC administrators


rsautil manage-oc-administrators -a action [-g groups] [-n] [username [password]]

  • -h, --help - (optional) Display help
  • -X, --debug - (optional) Display debug messages
  • -v, --version - (optional) Display the version and copyright information
  • -S, --script-mode - (optional) Do not prompt for missing arguments, just fail
  • -a, --action - (required) Must be present and one of:
    • create: create a new user
    • update: update an existing user with a new password
    • delete: delete an existing user. The last user cannot be deleted
    • list: display all users
    • reload: reload all users from database
  • -u, --user - (required) Super administrator's user name
  • -p, --password - (required) Super administrator's password
  • -g, --groups - (optional) List of comma separated group names to assign the user to
  • -r, --remove-groups - (optional) List of comma separated group names to remove the user from
  • -n, --not-empty - (optional) Prevent the specified list of groups from having zero members
  • -d, --default-none - (optional) Make the user have no default group association
  • -D, --disable-password - (optional) Make the user have no password
  • username - (required) User name to create, update, or delete
  • password - (required) Password for user to create or update.

Manage Secrets


rsautil manage-secrets [[-m password]|[-u username -p password]] -a action [-n|-N] [-F] [-f -k] [name [value]]

  • -h, --help - Display help
  • -X, --debug - Display debug messages
  • -v, --version - Display the version and copyright information
  • -S, --script-mode - Do not prompt for missing arguments, fail with messages
  • -m, --master-password - Master password for the encrypted properties file
  • -u, --user - User name for the encrypted properties file
  • -p, --password - Password of the user for the encrypted properties file
  • -a, --action - One of these actions:
    • import - Import password-protected file into system fingerprint encrypted file. Also see the "-f" option
    • export - Export system fingerprint encrypted file to password-protected file. Also see the "-f" option
    • change - Change system fingerprint encrypted file
    • password - Also see the "-n" and "-N" options
    • recover - Recover system fingerprint encrypted file using the password
    • load - Load plain text properties file into encrypted file
    • list - Display all properties by English name.
    • listkeys - Display all properties by raw key name
    • set - Set a property to the specified value
    • get - Get the current value for the specified property
  • -n, --new-password - New password for change action
  • -N, --new-master-pwd - New master password for change action
  • -f, --file - Password-protected file to import, export, or load
  • -F, --force - Force overwrite admin credentials with imported file
  • -k, --file-password - Password to use with the specified file
  • name - Name of property to set or get
  • value - Value of property to set

Resetting Admin password


rsautil reset-admin-password

This command updates the current admin password.

For more information, see Unlocking and resetting the vCenter Single Sign On (SSO) administrator password (2034608).

You can also update the master password that was created during installation using the rsautil manage-secrets -m command. For example:

rsautil manage-secrets -m VMware123! -a change -N VMware@12345

Note: This command requires the original master password and is used only for changing the master password. If you forgot the master password, reinstall vSphere Single Sign-On.

Other Single Sign-On commands

Command: repoint.cmd

Located in: C:\Program Files\VMware\Infrastructure\VirtualCenter Server\ssoregtool

This command is used to point vCenter Server to the SSO server and lookup service.

Command: client-repoint.bat

Located in: C:\Program Files\VMware\Infrastructure\vSphereWebClient\scripts

This command is used to register the vSphere Web Client to the SSO server/lookup service.

For more information, see Repointing and reregistering VMware vCenter Server 5.1.x and components (2033620).

Additional Information

When using the rsautil command on the vCenter Server Appliance, it fails with the error:

# /usr/lib/vmware-sso/utils/rsautil
Error: JAVA_HOME or RSA_JAVA_HOME environment variable is not set, or '/bin/java' does not exist.

To fix it temporarily, set the JAVA_HOME variable:
# export JAVA_HOME="/usr/java/jre-vmware"
This resolves the error until the next reboot.

To permanently resolve the JAVA_HOME environment variable error, include the variable in the root bash profile:
  1. In the root user's home directory, create a file named .bash_profile.
  2. Edit the .bash_profile file and add the line:

    export JAVA_HOME="/usr/java/jre-vmware"

  3. Save and close the file.
  4. The changes are now kept permanently across reboots.

See Also

Request a Product Feature

To request a new product feature or to provide feedback on a VMware product, please visit the Request a Product Feature page.


  • 1 Ratings

Did this article help you?
This article resolved my issue.
This article did not resolve my issue.
This article helped but additional information was required to resolve my issue.

What can we do to improve this information? (4000 or fewer characters)

Please enter the Captcha code before clicking Submit.
  • 1 Ratings