How to configure LDAPS as Identity Source in vSphere Client (vCenter).

We are going to learn how to add the Active Directory as LDAP in identity Source of the vCenter.

What do we achieve: We will able to add the AD users to the vCenter Roles and allow them access the vCenter using the AD credentials.

Why use LDAPS: LDAPS (Lightweight Directory Access Protocol Over Secure Socket Links) LDAPS is a distributed IP directory protocol similar to LDAP, but which incorporates SSL for greater security. The default port for an LDAPS service provider URL is 636.

  1. Login to the vSphere client where you want to configure LDAPS as identity source.
  2. Click on Menu –> Select Administration

3. Select Single Sign-on Configuration -> Identity Sources -> Add Identity Source

4. Select Active Directory over LDAP

4. Now we must enter the details to configure AD as LDAPS.

Format Explained:

  • Name = domain name
  • Base DN for users: dc=domainname,dc=local (This option to search user’s in specific organization unit OR container of AD).
  • Base DN for groups: dc=domainname,dc=local (This option to search AD group’s in a specific organization unit OR container in the Active Directory)
  • Domain name: name of the domain
  • Domain alias: domain-name
  • Username: DN of the username
  • Password: Password for the user account mentioned above
  • Primary server URL: ldaps://Domaincontroller name:636
  • (You can mention domain name instead of specific DC if all your domain controller’s configured to use SSL for LDAP)
  • Secondary server URL:ldaps://Domaincontroller name:636 (optional)

5. We need to add the SSL certificate for active directory server which we have mentioned as the Primary Server URL. How to get it is big question for many, please follow the below steps to get the certificate,

  • Login to vCenter appliance SSH session (using putty).
  • Type in the command: openssl s_client -connect domainname:636 -showcerts

openssl s_client -connect ad.gsslabs.org:636 -showcerts

  • Once you type you will get the below output.
  • Copy the complete string from —–BEGIN CERTIFICATE—– to —–END CERTIFICATE—–
  • Paste it in any of the Text editor and save the file as ldapcert.cer and when you are saving the file select Save as type: as all files
  • Now click on browse in the configuration Tab in vSphere client and the select the certificate file ldapcert.cer and click on Open.
  • Now your certificate will be added as below and now Click on Add,

7. Now the Active Directory as LDAPS is successfully configured.

How to Create a Microsoft Certificate Authority Template for SSL certificate creation in vSphere 6.x&7.x

In this article we are going to learn how to configure Microsoft Certificate Authority (CA) templates for use with custom SSL certificate implementation in vSphere 6.x/7.x.

Connect to the CA server, where you will be generating the certificates from using an RDP session (mstsc).

Click Start > Run, type certtmpl.msc, and click OK.

In the Certificate Template Console, under Template Display Name, right-click Web Server and click Duplicate Template.

In the Duplicate Template window, select Windows Server 2003 Enterprise for backward compatibility.

Note: If you have an encryption level higher than SHA1, select Windows Server 2008 Enterprise.

Click the General tab and In the Template display name field, enter VMware (anything you prefer) as the name of the new template.

Click on the Extensions tab.

  1. Select Application Policies and click Edit.
  2. Select Server Authentication and click Remove, then OK.Note: If Client Authentication exists, remove this from Application Policies as well.

Note: If Client Authentication exists, remove this from Application Policies as well.

Select Key Usage and click Edit.

  1. Select the Signature is proof of origin (non repudiation) option. Leave all other options as default.
  2. Click OK.

Click the Subject Name tab.

  1. Ensure that the Supply in the request option is selected.
  2. Click OK to save the template.

Click OK to save the template.

Now let’s proceed Proceed with Adding a new template to certificate templates section in the article to make the newly created certificate template available.

Click Start > Run, type certsrv.msc, and click OK.

In the left pane of the Certificate Console, if collapsed, expand the node by clicking the + icon.

Right-click Certificate Templates and click New > Certificate Template to Issue.

Locate VMware under the Name column and Click OK.

Now we have successfully added the VMware CA template to the Certificate Templates.

Reference: https://kb.vmware.com/s/article/2112009

vCenter root certificate expiry using Sectigo-AddTrust-External-CA-Root-Expired on May-30-2020.

Are you facing an issue with the root certificate expiry issue and your using the certificates provided SECTIGO.

This would cause the services to fail on the vCenter server we can see the below line in the log:

  • Vpxd-svcs.log:

Caused by: com.vmware.vim.vmomi.client.exception.VlsiCertificateException: Server certificate chain is not trusted and thumbprint verification is not configured at com.vmware.vim.vmomi.client.http.impl.ThumbprintTrustManager.checkServerTrusted(ThumbprintTrustManager.java:224)]Caused by: java.security.cert.CertificateExpiredException: NotAfter: Sat May 30 10:48:38 UTC 2020

  This root is due to expire at the end of May, 2020.  Any applications or installations that depend on this cross-signed root must be updated by May, 2020 or run the risk of outage or displayed error message.

What to do?

Validate the logs in the vCenter server.

  • Generate a CSR (Certificate Signing Request) on the PSC/vCenter for the certificate replacement using certificate manager.
    • VCSA – /usr/lib/vmware-vmca/bin/certificate-manager
    • Windows vCenter – C:\Program Files\VMware\vCenter Server\vmcad\certificate-manager)

Refer below information to enter values for CSR generation

Country : Two uppercase letters only (Eg. US), the country where your company is located.
Name : FQDN of the vCenter Server
Organization : Company Name
OrgUnit : The name of your department within the organization. Example: “IT”
State : The state/province where your company is located
Locality : The city where your company is located.
IPAddress : IP Address of vCenter Server, this field is Optional
Email : Email Address
Hostname : FQDN of vCenter Server
VMCA Name : FQDN of vCenter Server with VMCA (Usually External PSC or VC with Embedded PSC FQDN)

  • This task replaces the Machine SSL Certificate with a Custom CA Signed Certificate.
  • This certificate is not issued by VMCA. It is issued by an external Certificate Authority.
  • If you are running an external Platform Services Controller, you will need to restart the services on the external vCenter Server 6.x and then proceed with replacing the Machine SSL of the vCenter Server 6.x.

Useful links:

https://kb.vmware.com/s/article/2112277

https://support.sectigo.com/articles/Knowledge/Sectigo-AddTrust-External-CA-Root-Expiring-May-30-2020