Delete STS certificate from vmdird database
Article ID: 373613
Updated On:
Products
Issue/Introduction
This article provides steps in deleting an STS certificate from VMDIRD via Jxplorer or command line.
Resolution
The STS certificate is listed under the following vmdird path: local > vsphere > Services > IdentityManager > Tenants > the SSO domain i.e: vsphere.local.
JXplorer Method
- Follow the steps outlined in KB Using JXplorer to connect to the vSphere Single Sign-on to connect to vmdird via Jxplorer
- Identify which STS certificate needs to be deleted
- In the above example image, TenantCredential-1 and TrustedCertChain-1 will be deleted.
- To delete these entries, select the entry and right-click Delete.
Command Line Method
Using the above example image, the following CNs need to be removed:
cn=TenantCredential-1,cn=vsphere.local,cn=Tenants,cn=IdentityManager,cn=Services,dc=vsphere,dc=localcn=TrustedCertificateChains,cn=vsphere.local,cn=Tenants,cn=IdentityManager,cn=Services,dc=vsphere,dc=local
Delete the TenantCredential-#
- Export the LDIF
/opt/likewise/bin/ldapsearch -h localhost -D "cn=Administrator,cn=Users,dc=vsphere,dc=local" -w 'INSERT PASSWORD HERE' -b "cn=TenantCredential-1,cn=vsphere.local,cn=Tenants,cn=IdentityManager,cn=Services,dc=vsphere,dc=local" > /storage/core/tenantcredential.ldifINSERT PASSWORD HERE" with the correct associated password for administrator@<sso-domain (i.e.: [email protected]) - Review the LDIF
/opt/likewise/bin/ldapsearch -h localhost -D "cn=Administrator,cn=Users,dc=vsphere,dc=local" -w 'INSERT PASSWORD HERE' -b "cn=TenantCredential-1,cn=vsphere.local,cn=Tenants,cn=IdentityManager,cn=Services,dc=vsphere,dc=local" -s sub "objectclass=vmwSTSTenantCredential" - Delete the object
/opt/likewise/bin/ldapdelete -h localhost -D "cn=Administrator,cn=Users,dc=vsphere,dc=local" -w 'INSERT PASSWORD HERE
Delete the TrustedCertificateChain-#
- List the number of certificate chains
/opt/likewise/bin/ldapsearch -h localhost -D "cn=Administrator,cn=Users,dc=vsphere,dc=local" -w 'INSERT PASSWORD HERE
Example/opt/likewise/bin/ldapsearch -h localhost -D "cn=Administrator,cn=Users,dc=vsphere,dc=local" -w 'INSERT PASSWORD HERE# extended LDIF
#
# LDAPv3
# base <cn=TrustedCertificateChains,cn=vsphere.local,cn=Tenants,cn=IdentityManager,cn=Services,dc=vsphere,dc=local > with scope subtree
# filter: objectclass=container
# requesting: ALL
## TrustedCertificateChains, vsphere.local, Tenants, IdentityManager, Services
, vsphere.local
dn: cn=TrustedCertificateChains,cn=vsphere.local,cn=Tenants,cn=IdentityManager
,cn=Services,dc=vsphere,dc=local
nTSecurityDescriptor:: AQAHhBQAAAA0AAAAAAAAAFQAAAABBgAAAAAABxUAAACAPXxdhG/Mkca
FQlchKZq+9AEAAAEGAAAAAAAHFQAAAIA9fF2Eb8yRxoVCVyEpmr4gAgAAAgDAAAUAAAAAExgAMAAA
AAECAAAAAAAHIAAAAJoCAAAAEygAMwAGAAEGAAAAAAAHFQAAAIA9fF2Eb8yRxoVCVyEpmr4DAgAAA
BMoADMABiABBgAAAAAABxUAAACAPXxdhG/MkcaFQlchKZq+AAIAAAATKAAzAAYgAQYAAAAAAAcVAA
AAgD18XYRvzJHGhUJXISmaviACAAAAEygAMwAGIAEGAAAAAAAHFQAAAIA9fF2Eb8yRxoVCVyEpmr7
0AQAA
cn: TrustedCertificateChains
objectClass: top
objectClass: container# search result
search: 2
result: 0 Success# numResponses: 2
# numEntries: 1 <---- In this example, there is one. - Export the LDIF
/opt/likewise/bin/ldapsearch -h localhost -D "cn=Administrator,cn=Users,dc=vsphere,dc=local" -w ' INSERT PASSWORD HEREcn=vsphere.local,cn=Tenants, cn=IdentityManager,cn= Services,dc=vsphere,dc=local " > /storage/core/ TrustedCertificateChains.ldif - Delete the object
- For TrustedCertChain-1
/opt/likewise/bin/ldapdelete -h localhost -D "cn=Administrator,cn=Users,dc=vsphere,dc=local" -w ' INSERT PASSWORD HERETrustedCertificateChains,cn= vsphere.local,cn=Tenants,cn= IdentityManager,cn=Services, dc=vsphere,dc=local" - For TrustedCertChain-2
/opt/likewise/bin/ldapdelete -h localhost -D "cn=Administrator,cn=Users,dc=vsphere,dc=local" -w ' INSERT PASSWORD HERETrustedCertificateChains,cn= vsphere.local,cn=Tenants,cn= IdentityManager,cn=Services, dc=vsphere,dc=local"
- For TrustedCertChain-1
Feedback
