Configuring CA signed SSL certificates for vCenter Single Sign-On in vSphere 5.5
search cancel

Configuring CA signed SSL certificates for vCenter Single Sign-On in vSphere 5.5

book

Article ID: 336159

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

Note: This article applies specifically to vSphere 5.5. If you are using vSphere 5.1, see Configuring CA signed SSL certificates for vCenter Server Single Sign-On in vCenter Server 5.1 (2035011). If you are using vSphere 5.0, see Implementing CA signed SSL Certificates with vSphere 5.0 (2015383).

This article guides you through the configuration of Certificate Authority (CA) certificates for the vCenter Single Sign-On service on vSphere 5.5. VMware has released a tool to automate much of the described process below. See the Replacing vCenter Certificates With the vCenter Certificate Automation Tool section of the vSphere Security Guide before performing the steps in the article.
 
In case you are unable to use the tool, this article assists in eliminating common causes for problems during certificate implementation, including configuration steps and details, and helps avoid common misconfigurations in the implementation of custom certificates in your environment.

This article assumes that:
  • You have completely installed all of the core vSphere 5.5 components in the environment, including:
    • vCenter Single-Sign on
    • vCenter Server
    • vCenter Inventory Service
    • the vSphere Web Client
  • You have performed a backup of the entire vSphere 5.5 installation.
  • You have installed OpenSSL Version 0.9.8 on the vCenter Single Sign-On system

    Important: OpenSSL Version 0.9.8 must be used. If you do not use this version, the SSL implementation fails.
     
  • You have installed OpenSSL to C:\OpenSSL-Win32. If it is installed elsewhere, change the location as appropriate.


Environment

VMware vCenter Server 5.5.x

Resolution

Note: This article is part of a resolution path. Before performing the steps in this article, see Implementing CA signed SSL certificates with vSphere 5.x (2034833).
 
Creating CA assigned certificates for vSphere is a complex task. In many organizations it is required to maintain proper security for regulatory requirements. There are several different work flows required for successful implementation:
  • Creating the certificate request
  • Getting the certificate
  • Installation and configuration of the certificate for Single Sign-On
These steps must be followed to ensure successful implementation of a custom certificate for vCenter server. Before attempting these steps ensure that:

Installation and configuration of the certificate for vCenter SSO

After the certificate is created, perform these steps to complete the installation and configuration of the certificate.

Note: VMware recommends you take a backup of your vCenter Server before proceeding to carry out these steps.
 
To replace the vCenter SSO certificates:
  1. Log in to the vCenter SSO server with an administrator account.

    Notes:
    • If following Creating certificate requests and certificates for the vCenter 5.x components (2037432), all vSphere components are installed on the same server. All files should be located in C:\certs.
    • If each vSphere component is installed on separate systems rather than all inclusive, the generated files from the proceeding Steps 6 and 7 needs to be copied to each server. After completing copying, each vSphere component system has a C:\ProgramData\VMware\SSL folder containing ca_certificates.crt and a hash file.
  2. Open an elevated command prompt and enter these commands to prepare the environment. For more information on opening a command prompt, see Opening a command or shell prompt (1003892).

    C:\>SET JAVA_HOME=C:\Program Files\Common Files\VMware\VMware vCenter Server - Java Components

    C:\>SET PATH=%PATH%;C:\Program Files\VMware\Infrastructure\VMware\CIS\vmware-sso;%JAVA_HOME%\bin

    Note: The values for JAVA_HOME and PATH must not be enclosed in quotes.
     
  3. If present, back up the SSL directory under C:\ProgramData\VMware\. This folder must contain two files: ca_certificates.crt and hash file, 8_characters.0.
  4. Register the new root certificate into the VMware Trust Store by running the commands:

    C:\> cd OpenSSL-Win32\bin

    C:\OpenSSL-Win32\bin> openssl c:\certs directory for temporary use. The ssl=c:\certs\Root64.cer used in the following commands are for environments using only a single Root Certificate Authority server. If you are using intermediate Certificate Authority servers, use ssl=c:\certs\chain.cer previously generated.

     
    • gc.properties:

      [service]
      friendlyName=The group check interface of the SSO server
      version=1.5
      ownerId=
      productId=product:sso
      type=urn:sso:groupcheck
      description=The group check interface of the SSO server


      [endpoint0]
      uri=https://SSOserver.domain.com:7444/sso-adminserver/sdk/vsphere.local
      ssl=c:\certs\Root64.cer
      protocol=vmomi

       
    • admin.properties:

      [service]
      friendlyName=The administrative interface of the SSO server
      version=1.5
      ownerId=
      productId=product:sso
      type=urn:sso:admin
      description=The administrative interface of the SSO server

      [endpoint0]
      uri=https://SSOServer.domain.com:7444/sso-adminserver/sdk/vsphere.local
      ssl=c:\certs\Root64.cer
      protocol=vmomi

       
    • sts.properties:

      [service]
      friendlyName=STS for Single Sign On
      version=1.5
      ownerId=
      productId=product:sso
      type=urn:sso:sts
      description=The Security Token Service of the Single Sign On server.

      [endpoint0]
      uri=https://SSOserver.domain.com:7444/sts/STSService/vsphere.local
      ssl=c:\certs\Root64.cer
      protocol=wsTrust

       
  5. Run the ssolscli command to list all service entries from the Lookup Service:

    C:\Program Files\VMware\Infrastructure\VMware\CIS\vmware-sso>ssolscli.cmd listServices Lookup_Service_URL

    Note: Ensure you use the Fully Qualified Domain Name (FQDN) for the Lookup Service URL or the command fails.

    For example:

    C:\> ssolscli.cmd listServices https://WVC08.domain.local:7444/lookupservice/sdk

    You see output similar to:

    ssolscli.cmd listServices
     
  6. Locate the three SSO services from the ssolscli output.

    Note: The SSO services can be identified by looking at the type= field.
     
    • Group Check. urn:sso:groupcheck

      You see output similar to:

      urn:sso:groupcheck
       
    • SSO Admin. urn:sso:admin

      You see output similar to:

      urn:sso:admin
       
    • Security Token Service (STS). urn:sso:sts

      You see output similar to:
      urn:sso:sts
       
  7. Write the serviceId= for each of the three SSO services to separate text files. You can do this by using the echo command.

    For example:

    viSite is Broomfield.
     
  8. Use these commands to update the three SSO services:

    Important: Update the services in this order starting with Groupcheck. Performing the updates out of order prevents SSO from starting.
     
    • For the Groupcheck Service, run the command:

      c:\> ssolscli updateService -d https://ssoserver.domain.com:7444/lookupservice/sdk -u [email protected] -p SSO_administrator_password -si c:\certs\gc_id -ip c:\certs\gc.properties
       
    • For the Admin Service, run the command:

      c:\> ssolscli updateService -d https://ssoserver.domain.com:7444/lookupservice/sdk -u [email protected] -p SSO_administrator_password -si c:\certs\admin_id -ip c:\certs\admin.properties
       
    • For the STS service, run the command:

      c:\> ssolscli updateService -d https://ssoserver.domain.com:7444/lookupservice/sdk -u [email protected] -p SSO_administrator_password -si c:\certs\sts_id -ip c:\certs\sts.properties
  9. Open Windows Explorer and navigate to C:\ProgramData\VMware\CIS\runtime\VMwareSTS\conf .
  10. Backup the existing ssoserver.p12, ssoserver.key and ssoserver.crt files.
  11. Copy the new ssoserver.p12, ssoserver.crt and ssoserver.key files to the conf directory either using the Windows Explorer or the command line:

    C:\> copy C:\certs\SSO\ssoserver.p12 C:\ProgramData\VMware\CIS\runtime\VMwareSTS\conf\ssoserver.p12
    C:\> copy C:\certs\Root64.cer C:\ProgramData\VMware\CIS\runtime\VMwareSTS\conf\ssoserver.crt
    C:\> copy C:\certs\SSO\rui.key C:\ProgramData\VMware\CIS\runtime\VMwareSTS\conf\ssoserver.key


    Note: Root64.cer used in the commands are for environments using single Root Certificate Authority server only. If you are using intermediate Certificate Authority servers, you must use chain.cer.

     
  12. For the new SSL certificates to take effect, restart the VMware Secure Token Service by running the commands:

    C:\> net stop VMwareSTS
    C:\> net start VMwareSTS


    The SSL certificate for vCenter Single Sign-On (including the Group Check, the SSO Admin service, and Security Token Service) is successfully updated. Next, continue to install the custom certificates for the vCenter Inventory Service. For more information, see Configuring CA signed SSL certificates for the Inventory service in vCenter Server 5.5 (2061953).
  13. Open Windows Explorer and navigate to C:\ProgramData\VMware\CIS\runtime\VMwareSTS\conf .
  14. Backup the existing ssoserver.p12ssoserver.key and ssoserver.crt files.
  15. Copy the new ssoserver.p12, ssoserver.crt and ssoserver.key files to the conf directory either using the Windows Explorer or the command line:

    C:\> copy C:\certs\SSO\ssoserver.p12 C:\ProgramData\VMware\CIS\runtime\VMwareSTS\conf\ssoserver.p12
    C:\> copy C:\certs\Root64.cer C:\ProgramData\VMware\CIS\runtime\VMwareSTS\conf\ssoserver.crt
    C:\> copy C:\certs\SSO\rui.key C:\ProgramData\VMware\CIS\runtime\VMwareSTS\conf\ssoserver.key

    Note: Root64.cer used in the commands are for environments using single Root Certificate Authority server only. If you are using intermediate Certificate Authority servers, you must use chain.cer.
     
  16. For the new SSL certificates to take effect, restart the VMware Secure Token Service by running the commands:

    C:\> net stop VMwareSTS
    C:\> net start VMwareSTS

    The SSL certificate for vCenter Single Sign-On (including the Group Check, the SSO Admin service, and Security Token Service) is successfully updated. Next, continue to install the custom certificates for the vCenter Inventory Service. For more information, see Configuring CA signed SSL certificates for the Inventory service in vCenter Server 5.5


Additional Information