rsautil
command is used to troubleshoot Single Sign-On, and is located in:C:\Program Files\VMware\Infrastructure\SSOServer\utils
/usr/lib/vmware-sso/utils
rsautil argument
-h,-? --help
- Display rsautil
options in the command line -v --version
- Display the product version -S --script-exit
- exit with an error code to facilitate scripting -X --debug
- Display value of environment variables (RSA_IMS_HOME
, JAVA_HOME
, etc.) -g --generate-classpath
- generate classpath.jar with classpath manifest to locate third-party JAR files -l --list
- Display a list of available command line utilitiesrsautil
command with the -l
option displays these command line utilities:configure-riat
- Install and configuration utility manage-identity-sources
- Manage identity sources manage-oc-administrators
- Manage users manage-secrets
- Manage secrets reset-admin-password
- Reset administrator passwordrsautil configure-riat argument
-h, --help
- Display help and exit. If -a/--action
argument is specified, the usage for the specified action is printed -X, --debug
- Log verbose messages in the log file -S, --script-mode
- Do not prompt for missing passwords -s, --silent
- Do not print progress messages to the console -v, --version
- Display the version and copyright information -a, --action
- Actions include:install
- Install and configure RIAT uninstall
- Uninstall RIAT configure-db
- Update server database connection settings configure-ssl
- Update server SSL settings configure-sts
- Update security token service (STS) settings discover-is
- Discover identity source(s) (Windows only) user-cert
- Generate or update user's certificate create-instance-pkg
- Create package for installing new RIAT instancersautil manage-identity-sources -a action[-u username [-p password]]
-h, --help
- Display help -X, --debug
- Display debug messages -v, --version
- Display the version and copyright information -S, --script-mode
- Do not prompt for missing arguments, just fail -u, --user
- Super administrator's user name entered without @system-domain. -p, --password
- Super administrator's password -a, --action
- Must be present and one of:create
- Create a new identity sourcecreate
arguments:-r, --url
- Primary URL for create action -f, --failover-url
- Optional failover URL for create action -L, --ldap-user
- Optional LDAP account user name. For Active Directory, specify the user in user@domain
format -P, --ldap-password
- Optional LDAP administrative account password -d, --domain
- Fully qualified domain name associated with this identity source for create action -l, --alias
- Optional alias associated with this identity source for create action --principal-base-dn
- Optional principal base DN. (Needed if group base DN is specified) Default: Discovered --group-base-dn
- Optional group base DN. (Needed if principal base DN is specified) Default: Discovered --cert-path
- Optional root CA certificate path for SSL connections. Default: Discovered (Active Directory) --ldap-port
- Optional for SSL connections. Non-SSL port if different from standard (389). Used for root CA certificate discovery (Active Directory) --use-gssapi
- Optional and only relevant to Active Directory. If specified Connection to AD will use Gssapi. Default to false. --open-ldap
- Optional and only relevant to ldap server. If specified the identity source type is open ldap. Otherwise is Active Directory if --url start with "ldap". Default to false.delete
- Delete an existing identity sourcedelete
argument:-g, --guid
- GUID of Identity Source for delete actionlist
- Display all identity sourcesrsautil manage-oc-administrators -a action [-g groups] [-n] [username [password]]
-h, --help
- (optional) Display help -X, --debug
- (optional) Display debug messages -v, --version
- (optional) Display the version and copyright information -S, --script-mode
- (optional) Do not prompt for missing arguments, just fail -a, --action
- (required) Must be present and one of:create
: create a new user update
: update an existing user with a new password delete
: delete an existing user. The last user cannot be deleted list
: display all users reload
: reload all users from database-u, --user
- (required) Super administrator's user name -p, --password
- (required) Super administrator's password -g, --groups
- (optional) List of comma separated group names to assign the user to -r, --remove-groups
- (optional) List of comma separated group names to remove the user from -n, --not-empty
- (optional) Prevent the specified list of groups from having zero members -d, --default-none
- (optional) Make the user have no default group association -D, --disable-password
- (optional) Make the user have no password username
- (required) User name to create, update, or delete password
- (required) Password for user to create or update.rsautil manage-secrets [[-m
password
]|[-u
username
-p
password
]] -a
action
[-n|-N] [-F] [-f -k] [name [value]]
-h, --help
- Display help -X, --debug
- Display debug messages -v, --version
- Display the version and copyright information -S, --script-mode
- Do not prompt for missing arguments, fail with messages -m, --master-password
- Master password for the encrypted properties file -u, --user
- User name for the encrypted properties file -p, --password
- Password of the user for the encrypted properties file -a, --action
- One of these actions:import
- Import password-protected file into system fingerprint encrypted file. Also see the "-f
" option export
- Export system fingerprint encrypted file to password-protected file. Also see the "-f
" option change
- Change system fingerprint encrypted file password
- Also see the "-n
" and "-N
" options recover
- Recover system fingerprint encrypted file using the password load
- Load plain text properties file into encrypted file list
- Display all properties by English name. listkeys
- Display all properties by raw key name set
- Set a property to the specified value get
- Get the current value for the specified property-n, --new-password
- New password for change
action -N, --new-master-pwd
- New master password for change
action -f, --file
- Password-protected file to import, export, or load -F, --force
- Force overwrite admin credentials with imported file -k, --file-password
- Password to use with the specified file name
- Name of property to set or get value
- Value of property to setrsautil reset-admin-password
rsautil manage-secrets -m
command. For example:rsautil manage-secrets -m VMware123! -a change -N VMware@12345
Note: This command requires the original master password and is used only for changing the master password. If you forgot the master password, reinstall vSphere Single Sign-On.
repoint.cmd
C:\Program Files\VMware\Infrastructure\VirtualCenter Server\ssoregtool
client-repoint.bat
C:\Program Files\VMware\Infrastructure\vSphereWebClient\scripts
rsautil
command on the vCenter Server Appliance, it fails with the error:# /usr/lib/vmware-sso/utils/rsautil
Error: JAVA_HOME or RSA_JAVA_HOME environment variable is not set, or '/bin/java' does not exist.
JAVA_HOME
variable:This resolves the error until the next reboot.# export JAVA_HOME="/usr/java/jre-vmware"
JAVA_HOME
environment variable error, include the variable in the root bash profile:.bash_profile
. .bash_profile
file and add the line:
export JAVA_HOME="/usr/java/jre-vmware"