How to configure RSA on vCenter Servers in Linked Mode
search cancel

How to configure RSA on vCenter Servers in Linked Mode

book

Article ID: 380304

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

These steps have been streamlined to cover only the essential actions needed for configuring RSA on vCenter Servers in Linked Mode.


Environment

VMware vCenter Server 6.x
VMware vCenter Server 7.0.x
VMware vCenter Server 8.0.x

Cause

When multiple vCenter Servers are running in Enhanced Linked Mode (ELM), they all share the same vmdird database. If RSA authentication is already configured on vCenter A and you set it up on vCenter B, the new RSA configuration from vCenter B will overwrite the existing configuration in the vmdird database.

This will cause the RSA authentication to break on vCenter A while remaining functional for vCenter B.

Resolution

Note: Before following the recommendations below, please ensure that offline snapshots of all vCenters in the ELM replication group have been created. Be aware that if a rollback is needed in case something unexpected happened, all ELM nodes to be rolled back.

Pre-requisites:

  1. Ensure that the LDAP attribute on the RSA Authentication Manager is configured to use sAMAccountName.
  2. Verify that the vCenter Server node is set up as a standard agent on the RSA Authentication Manager.
  3. Confirm that the certificates from the RSA node are trusted by the PSC.
  4. Download the sdconf.rec file from the RSA Authentication Manager to proceed with the configuration.

On the first vCenter Server run the following commands to configure RSA:

/opt/vmware/bin/sso-config.sh -t <SSO Domain> -set_authn_policy -securIDAuthn true
/opt/vmware/bin/sso-config.sh -set_rsa_config -t <SSO Domain> -logLevel DEBUG
/opt/vmware/bin/sso-config.sh -set_rsa_site -t <SSO Domain> -agentName <PSC FQDN> -sdConfFile /root/sdconf.rec 
/opt/vmware/bin/sso-config.sh -set_rsa_userid_attr_map -t <SSO Domain> -idsName <Domain name> -ldapAttr sAMAccountName

Validate the Configuration via the below command:

/opt/vmware/bin/sso-config.sh -t vsphere.local -get_rsa_config


Once completed, restart all the services on the vCenter.

Then, navigate to "/etc/vmware-sso/vsphere.local" and backup the 2 files rsa_api.properties and sdconf.rec.

This is done because when RSA is configured on any additional nodes in the ELM environment, the above files are overwritten with the new node configuration, thereby disrupting authentication on the initially configured vCenter.

Follow the same steps to configure RSA on any additional vCenter nodes in the ELM environment.

Then, on the first vCenter Server, restore rsa_api.properties and sdconf.rec files from backup to /etc/vmware-sso/vsphere.local
This will ensure that both the vCenter Servers will have their respective RSA configurations.

Additional Information

Powered by Wolken Software