VMware ESXI - 6.7 Administrator’s Guide
Platform Services
Controller Administration
17 APR 2018
VMware vSphere 6.7
VMware ESXi 6.7
vCenter Server 6.7
Platform Services Controller Administration
You can find the most up-to-date technical documentation on the VMware website at:
https://docs.vmware.com/
If you have comments about this documentation, submit your feedback to
docfeedback@vmware.com
VMware, Inc.
3401 Hillview Ave.
Palo Alto, CA 94304
www.vmware.com
Copyright © 2009–2018 VMware, Inc. All rights reserved. Copyright and trademark information.
VMware, Inc. 2
Contents
About Platform Services Controller Administration 5
Getting Started with Platform Services Controller 7
1
vCenter Server and Platform Services Controller Deployment Types 7
Deployment Topologies with External Platform Services Controller Instances and High Availability 11
Understanding vSphere Domains, Domain Names, and Sites 13
Platform Services Controller Capabilities 14
Managing Platform Services Controller Services 15
Managing the Platform Services Controller Appliance 19
vSphere Authentication with vCenter Single Sign-On 22
2
Understanding vCenter Single Sign-On 23
Configuring vCenter Single Sign-On Identity Sources 30
Understanding vCenter Server Two-Factor Authentication 37
Using vCenter Single Sign-On as the Identity Provider for Another Service Provider 52
Security Token Service STS 53
Managing vCenter Single Sign-On Policies 59
Managing vCenter Single Sign-On Users and Groups 63
vCenter Single Sign-On Security Best Practices 70
vSphere Security Certificates 72
3
Certificate Requirements for Different Solution Paths 73
Certificate Management Overview 77
Managing Certificates with the vSphere Client 90
Managing Certificates from the vSphere Web Client 97
Managing Certificates with the vSphere Certificate Manager Utility 98
Manual Certificate Replacement 113
VMware, Inc.
Managing Services and Certificates with CLI Commands 147
4
Required Privileges for Running CLIs 148
Changing the certool Configuration Options 149
certool Initialization Commands Reference 150
certool Management Commands Reference 153
vecs-cli Command Reference 156
dir-cli Command Reference 162
Troubleshooting Platform Services Controller 169
5
Determining the Cause of a Lookup Service Error 169
3
Platform Services Controller Administration
Unable to Log In Using Active Directory Domain Authentication 170
vCenter Server Login Fails Because the User Account Is Locked 172
VMware Directory Service Replication Can Take a Long Time 173
Export a Platform Services Controller Support Bundle 173
Platform Services Controller Service Logs Reference 174
VMware, Inc. 4
About
Platform Services Controller
Administration
The Platform Services Controller Administration documentation explains how the VMware
®
Platform Services Controller™ fits into your vSphere environment and helps you perform common tasks
such as certificate management and vCenter Single Sign-On configuration.
Platform Services Controller Administration explains how you can set up authentication with vCenter
Single Sign-On and how to manage certificates for vCenter Server and related services.
Table 1.
Topics Content Highlights
Getting Started with Platform Services Controller
vSphere Authentication with vCenter Single Sign-On
Platform Services Controller Administration
n
vCenter Server and Platform Services Controller
deployment models. NOTE: This information changes with
each release of the product.
n
Platform Services Controller services on Linux and
Windows.
n
Managing Platform Services Controller services.
n
Managing the Platform Services Controller appliance using
VAMI.
n
Architecture of the authentication process.
n
How to add identity sources so users in your domain can
authenticate.
n
Two-factor authentication.
n
Managing users, groups, and policies.
Highlights
vSphere Security Certificates
n
Certificate model, and options for replacing certificates.
n
Replace certificates from the UI (simple cases).
n
Replace certificates using the Certificate Manager utility.
n
Replace certificates using the CLI (complex situations).
n
Certificate management CLI reference.
Related Documentation
A companion document, vSphere Security, describes available security features and the measures that
you can take to safeguard your environment from attack. That document also explains how you can set
up permissions, and includes a reference to privileges.
VMware, Inc.
5
Platform Services Controller Administration
In addition to these documents, VMware publishes a Hardening Guide for each release of vSphere,
accessible at http://www.vmware.com/security/hardening-guides.html. The Hardening Guide is a
spreadsheet with entries for different potential security issues. It includes items for three different risk
profiles.
Intended Audience
This information is intended for administrators who want to configure Platform Services Controller and
associated services. The information is written for experienced Windows or Linux system administrators
who are familiar with virtual machine technology and data center operations.
vSphere Web Client and vSphere Client
Instructions in this guide reflect the vSphere Client (an HTML5-based GUI). You can also use the
instructions to perform most of the tasks by using the vSphere Web Client (a Flex-based GUI).
Note In vSphere 6.7, most of the vSphere Web Client functionality is implemented in the vSphere Client.
For an up-to-date list of the unsupported functionality, see Functionality Updates for the vSphere Client.
VMware, Inc. 6
Getting Started with Platform
Services Controller 1
The Platform Services Controller provides common infrastructure services to the vSphere environment.
Services include licensing, certificate management, and authentication with vCenter Single Sign-On.
This chapter includes the following topics:
n
vCenter Server and Platform Services Controller Deployment Types
n
Deployment Topologies with External Platform Services Controller Instances and High Availability
n
Understanding vSphere Domains, Domain Names, and Sites
n
Platform Services Controller Capabilities
n
Managing Platform Services Controller Services
n
Managing the Platform Services Controller Appliance
vCenter Server and Platform Services Controller
Deployment Types
You can deploy the vCenter Server Appliance or install vCenter Server for Windows with an embedded or
external Platform Services Controller. You can also deploy a Platform Services Controller as an appliance
or install it on Windows. If necessary, you can use a mixed operating systems environment.
Before you deploy the vCenter Server Appliance or install vCenter Server for Windows, you must
determine the deployment model that is suitable for your environment. For each deployment or
installation, you must select one of the three deployment types.
VMware, Inc.
7
Platform Services
Controller
Virtual Machine or Physical Server
vCenter Server
Platform Services Controller Administration
Table 1‑1. vCenter Server and Platform Services Controller Deployment Types
Deployment Type Description
vCenter Server with an embedded Platform Services Controller All services that are bundled with the
Platform Services Controller are deployed together with the
vCenter Server services on the same virtual machine or physical
server.
Platform Services Controller Only the services that are bundled with the
Platform Services Controller are deployed on the virtual machine
or physical server.
vCenter Server with an external Platform Services Controller
(Requires external Platform Services Controller)
Only the vCenter Server services are deployed on the virtual
machine or physical server.
You must register such a vCenter Server instance with a
Platform Services Controller instance that you previously
deployed or installed.
vCenter Server with an Embedded Platform Services Controller
Using an embedded Platform Services Controller results in a standalone deployment that has its own
vCenter Single Sign-On domain with a single site. vCenter Server with an embedded
Platform Services Controller is suitable for small environments. You cannot join other vCenter Server or
Platform Services Controller instances to this vCenter Single Sign-On domain.
Figure 1‑1. vCenter Server with an Embedded Platform Services Controller
Installing vCenter Server with an embedded Platform Services Controller has the following advantages:
n
The connection between vCenter Server and the Platform Services Controller is not over the network,
and vCenter Server is not prone to outages caused by connectivity and name resolution issues
between vCenter Server and the Platform Services Controller.
n
If you install vCenter Server on Windows virtual machines or physical servers, you need fewer
Windows licenses.
n
You manage fewer virtual machines or physical servers.
Installing vCenter Server with an embedded Platform Services Controller has the following
disadvantages:
n
There is a Platform Services Controller for each product which might be more than required and
which consumes more resources.
n
The model is suitable only for small-scale environments.
VMware, Inc. 8
Platform Services
Controller
Virtual Machine or Physical Server
vCenter Server
Virtual Machine or Physical Server
vCenter Server
Virtual Machine or Physical Server
Platform Services Controller Administration
You can configure the vCenter Server Appliance with an embedded Platform Services Controller in
vCenter High Availability configuration. For information, see vSphere Availability.
Note After you deploy or install vCenter Server with an embedded Platform Services Controller, you can
reconfigure the deployment type and switch to vCenter Server with an external
Platform Services Controller.
Platform Services Controller and vCenter Server with an External
Platform Services Controller
When you deploy or install a Platform Services Controller instance, you can create a vCenter Single SignOn domain or join an existing vCenter Single Sign-On domain. Joined Platform Services Controller
instances replicate their infrastructure data, such as authentication and licensing information, and can
span multiple vCenter Single Sign-On sites. For information, see Understanding vSphere Domains,
Domain Names, and Sites.
You can register multiple vCenter Server instances with one common external
Platform Services Controller instance. The vCenter Server instances assume the vCenter Single Sign-On
site of the Platform Services Controller instance with which they are registered. All vCenter Server
instances that are registered with one common or different joined Platform Services Controller instances
are connected in Enhanced Linked Mode.
Figure 1‑2. Example of Two vCenter Server Instances with a Common External
Platform Services Controller
Installing vCenter Server with an external Platform Services Controller has the following advantages:
n
Fewer resources consumed by the shared services in the Platform Services Controller instances.
n
The model is suitable for large-scale environments.
Installing vCenter Server with an external Platform Services Controller has the following disadvantages:
n
The connection between vCenter Server and Platform Services Controller might have connectivity
and name resolution issues.
n
If you install vCenter Server on Windows virtual machines or physical servers, you need more
Microsoft Windows licenses.
n
You must manage more virtual machines or physical servers.
VMware, Inc. 9
Platform Services
Controller on Windows
Windows Virtual Machine
or Physical Server
vCenter Server on Windows
Virtual Machine or Physical Server
vCenter Server Appliance
Virtual Machine
Platform Services
Controller Appliance
Virtual Machine
vCenter Server on Windows
Virtual Machine or Physical Server
vCenter Server Appliance
Virtual Machine
Platform Services Controller Administration
For information about the Platform Services Controller and vCenter Server maximums, see the
Configuration Maximums documentation.
For information about configuring the vCenter Server Appliance with an external
Platform Services Controller in vCenter High Availability configuration, see vSphere Availability.
Mixed Operating Systems Environment
A vCenter Server instance installed on Windows can be registered with either a
Platform Services Controller installed on Windows or a Platform Services Controller appliance. A
vCenter Server Appliance can be registered with either a Platform Services Controller installed on
Windows or a Platform Services Controller appliance. Both vCenter Server and the
vCenter Server Appliance can be registered with the same Platform Services Controller.
Figure 1‑3. Example of a Mixed Operating Systems Environment with an External Platform
Services Controller on Windows
Figure 1‑4. Example of a Mixed Operating Systems Environment with an External Platform
Services Controller Appliance
Note To ensure easy manageability and maintenance, use only appliances or only Windows installations
of vCenter Server and Platform Services Controller.
VMware, Inc. 10
Load Balancer
vCenter Server
Platform Services
Controller
Virtual Machine or
Physical Server
Virtual Machine or
Physical Server
vCenter Server
Platform Services
Controller
Virtual Machine or
Physical Server
Virtual Machine or
Physical Server
Platform Services Controller Administration
Deployment Topologies with External Platform Services Controller Instances and High Availability
To ensure Platform Services Controller high availability in external deployments, you must install or
deploy at least two joined Platform Services Controller instances in your vCenter Single Sign-On domain.
When you use a third-party load balancer, you can ensure an automatic failover without downtime.
Platform Services Controller with a Load Balancer
Figure 1‑5. Example of a Load Balanced Pair of Platform Services Controller Instances
You can use a third-party load balancer per site to configure Platform Services Controller high availability
with automatic failover for this site. For information about the maximum number of
Platform Services Controller instances behind a load balancer, see the Configuration Maximums
documentation.
Important To configure Platform Services Controller high availability behind a load balancer, the
Platform Services Controller instances must be of the same operating system type. Mixed operating
systems Platform Services Controller instances behind a load balancer are unsupported.
The vCenter Server instances are connected to the load balancer. When a Platform Services Controller
instance stops responding, the load balancer automatically distributes the load among the other functional
Platform Services Controller instances without downtime.
VMware, Inc. 11
Load Balancer
vCenter Server
Platform Services
Controller
Virtual Machine or
Physical Server
Site 1
Virtual Machine or
Physical Server
vCenter Server
Platform Services
Controller
Virtual Machine or
Physical Server
Virtual Machine or
Physical Server
Load Balancer
vCenter Server
Platform Services
Controller
Virtual Machine or
Physical Server
Virtual Machine or
Physical Server
vCenter Server
Platform Services
Controller
Virtual Machine or
Physical Server
Virtual Machine or
Physical Server
Site 2
Platform Services
Controller
Virtual Machine or
Physical Server
Virtual Machine or
Physical Server
Virtual Machine or
Physical Server
Virtual Machine or
Physical Server
vCenter Server vCenter Server vCenter Server vCenter Server
Virtual Machine or
Physical Server
Platform Services
Controller
Virtual Machine or
Physical Server
Platform Services Controller Administration
Platform Services Controller with Load Balancers Across vCenter
Single Sign-On Sites
Figure 1‑6. Example of Two Load Balanced Pairs of Platform Services Controller Instances
Across Two Sites
Your vCenter Single Sign-On domain might span multiple sites. To ensure Platform Services Controller
high availability with automatic failover throughout the domain, you must configure a separate load
balancer in each site.
Platform Services Controller with No Load Balancer
Figure 1‑7. Example of Two Joined Platform Services Controller Instances with No a Load
Balancer
When you join two or more Platform Services Controller instances in the same site with no load balancer,
you configure Platform Services Controller high availability with a manual failover for this site.
VMware, Inc. 12
vCenter Server
Platform Services
Controller
Virtual Machine or
Physical Server
Virtual Machine or
Physical Server
vCenter Server
Platform Services
Controller
Virtual Machine or
Physical Server
Virtual Machine or
Physical Server
vCenter Server
Platform Services
Controller
Virtual Machine or
Physical Server
Virtual Machine or
Physical Server
vCenter Server
Platform Services
Controller
Virtual Machine or
Physical Server
Virtual Machine or
Physical Server
Site 1 Site 2
Platform Services Controller Administration
When a Platform Services Controller instance stops responding, you must manually fail over the
vCenter Server instances that are registered to it. You fail over the instances by repointing them to other
functional Platform Services Controller instances within the same site. For information about how to
repoint vCenter Server instances to another external Platform Services Controller, see vCenter Server
Installation and Setup.
Note If your vCenter Single Sign-On domain includes three or more Platform Services Controller
instances, you can manually create a ring topology. A ring topology ensures Platform Services Controller
reliability when one of the instances fails. To create a ring topology, run the /usr/lib/vmware-
vmdir/bin/vdcrepadmin -f createagreement command against the first and last
Platform Services Controller instance that you have deployed.
Platform Services Controller with No Load Balancer Across
vCenter Single Sign-On Sites
Figure 1‑8. Example of Two Joined Pairs of Platform Services Controller Instances Across
Two Sites with No Load Balancer
Your vCenter Single Sign-On domain might span multiple sites. When no load balancer is available, you
can manually repoint vCenter Server from a failed to a functional Platform Services Controller within the
same site. For information about how to repoint vCenter Server instances to another external
Platform Services Controller, see vCenter Server Installation and Setup.
Understanding vSphere Domains, Domain Names, and Sites
Each Platform Services Controller is associated with a vCenter Single Sign-On domain. The domain
name defaults to vsphere.local, but you can change it during installation of the first
Platform Services Controller. The domain determines the local authentication space. You can split a
domain into multiple sites, and assign each Platform Services Controller and vCenter Server instance to a
site. Sites are logical constructs, but usually correspond to geographic location.
VMware, Inc. 13
Platform Services Controller Administration
Platform Services Controller Domain
When you install a Platform Services Controller, you are prompted to create a vCenter Single Sign-On
domain or join an existing domain.
The domain name is used by the VMware Directory Service (vmdir) for all Lightweight Directory Access
Protocol (LDAP) internal structuring.
With vSphere 6.0 and later, you can give your vSphere domain a unique name. To prevent authentication
conflicts, use a name that is not used by OpenLDAP, Microsoft Active Directory, and other directory
services.
Note You cannot change the domain to which a Platform Services Controller or vCenter Server instance
belongs.
After you specify the name of your domain, you can add users and groups. It usually makes more sense
to add an Active Directory or LDAP identity source and allow the users and groups in that identity source
to authenticate. You can also add vCenter Server or Platform Services Controller instances, or other
VMware products, such as vRealize Operations, to the domain.
Platform Services Controller Sites
You can organize Platform Services Controller domains into logical sites. A site in the VMware Directory
Service is a logical container for grouping Platform Services Controller instances within a vCenter Single
Sign-On domain.
You are prompted for the site name when you install or upgrade a Platform Services Controller. See the
vCenter Server Installation and Setup documentation.
Platform Services Controller Capabilities
Platform Services Controller supports services such as identity management, certificate management,
and license management in vSphere.
Key Capabilities
Platform Services Controller includes several services, discussed in Platform Services Controller
Services, and has the following key capabilities.
n
Authentication through vCenter Single Sign-On
n
Provisioning of vCenter Server components and ESXi hosts with VMware Certificate Manager
(VMCA) certificates by default
n
Use of custom certificates, which are stored in the VMware Endpoint Certificate Store (VECS)
VMware, Inc. 14
Platform Services Controller Administration
Deployment Models
You can install Platform Services Controller on a Windows system or deploy the
Platform Services Controller appliance.
The deployment model depends on the version of Platform Services Controller that you are using. See
vCenter Server and Platform Services Controller Deployment Types.
Managing Platform Services Controller Services
You manage Platform Services Controller services from the vSphere Web Client, or by using one of the
available scripts and CLIs.
Different Platform Services Controller services support different interfaces.
Table 1‑2. Interfaces for Managing Platform Services Controller Services
Interface Description
vSphere Client Web interface (HTML5-based client). The vSphere Client user
interface terminology, topology, and workflow are closely aligned
with the same aspects and elements of the vSphere Web Client
user interface.
vSphere Web Client Web interface for managing some of the services.
Certificate Management utility Command-line tool that supports CSR generation and certificate
replacement. See Managing Certificates with the vSphere
Certificate Manager Utility.
CLIs for managing Platform Services Controller services Set of commands for managing certificates, the VMware
Endpoint Certificate Store (VECS), and VMware Directory
Service (vmdir). See Chapter 4 Managing Services and
Certificates with CLI Commands.
Platform Services Controller Services
With Platform Services Controller, all VMware products within the same environment can share the
authentication domain and other services. Services include certificate management, authentication, and
licensing.
Platform Services Controller includes the following core infrastructure services.
VMware, Inc. 15
Platform Services Controller Administration
Table 1‑3. Platform Services Controller Services
Service Description
applmgmt
(VMware Appliance Management Service)
vmware-cis-license
(VMware License Service)
vmware-cm
(VMware Component Manager)
vmware-sts-idmd
(VMware Identity Management Service)
vmware-stsd
(VMware Security Token Service)
vmware-rhttpproxy
(VMware HTTP Reverse Proxy)
Handles appliance configuration and provides public API
endpoints for appliance lifecycle management. Included on the
Platform Services Controller appliance.
Each Platform Services Controller includes VMware License
Service, which delivers centralized license management and
reporting functionality to VMware products in your environment.
The license service inventory replicates across all
Platform Services Controller in the domain at 30-second
intervals.
Component manager provides service registration and lookup
functionalities.
Services behind the vCenter Single Sign-On feature, which
provide secure authentication services to VMware software
components and users.
By using vCenter Single Sign-On, the VMware components
communicate using a secure SAML token exchange
mechanism. vCenter Single Sign-On constructs an internal
security domain (vsphere.local by default) where the VMware
software components are registered during installation or
upgrade.
The reverse proxy runs on each Platform Services Controller
node and each vCenter Server system. It is a single entry point
into the node and enables services that run on the node to
communicate securely.
vmware-sca
(VMware Service Control Agent)
vmware-statsmonitor
(VMware Appliance Monitoring Service)
vmware-vapi-endpoint
(VMware vAPI Endpoint)
vmafdd
VMware Authentication Framework
vmcad
VMware Certificate Service
Manages service configurations. You can use the service-
control CLI to manage individual service configurations.
Monitor the vCenter Server Appliance guest operating system
resource consumption.
The vSphere Automation API endpoint provides a single point of
access to vAPI services. You can change the properties of the
vAPI Endpoint service from the vSphere Web Client. See the
vSphere Automation SDKs Programming Guide for details on
vAPI endpoints.
Service that provides a client-side framework for vmdir
authentication and serves the VMware Endpoint Certificate
Store (VECS).
Provisions each VMware software component that has the
vmafd client libraries and each ESXi host with a signed
certificate that has VMCA as the root certificate authority. You
can change the default certificates by using the Certificate
Manager utility.
VMware Certificate Service uses the VMware Endpoint
Certificate Store (VECS) to serve as a local repository for
certificates on every Platform Services Controller instance.
Although you can decide not to use VMCA and instead can use
custom certificates, you must add the certificates to VECS.
VMware, Inc. 16
Platform Services Controller Administration
Table 1‑3. Platform Services Controller Services (Continued)
Service Description
vmdird
VMware Directory Service
vmdnsd
VMware Domain Name Service
vmonapi
VMware Lifecycle Manager API
vmware-vmon
VMware Service Lifecycle Manager
lwsmd
Likewise Service Manager
pschealth
VMware Platform Services Controller Health Monitor
vmware-analytics
VMware Analytics Service
Provides a multitenant, multimastered LDAP directory service
that stores authentication, certificate, lookup, and license
information. Do not update data in vmdird by using an LDAP
browser.
If your domain contains more than one
Platform Services Controller instance, an update of vmdir
content in one vmdir instance is propagated to all other
instances of vmdir.
Not used in vSphere 6.x.
Start and stop vCenter Server services and monitor service API
health. The vmware-vmon service is a centralized platformindependent service that manages the lifecycle of
Platform Services Controller and vCenter Server. Exposes APIs
and CLIs to third-party applications.
Likewise facilitates joining the host to an Active Directory domain
and subsequent user authentication.
Monitors the health and status of all core
Platform Services Controller infrastructure services.
Consists of components that gather and upload telemetry data
from various vSphere components to the VMware Analytics
Cloud, and manage the Customer Experience Improvement
Program (CEIP).
Manage Platform Services Controller Services From the vSphere Client
You can manage vCenter access control, licensing, solutions, linked domains, certificates, and Single
Sign-On from the vSphere Client.
Procedure
1 Log in to a vCenter Server associated with the Platform Services Controller as a user with
administrator privileges in the local vCenter Single Sign-On domain (vsphere.local by default).
2 Select Administration and click the item that you want to manage.
Manage Platform Services Controller Services From the vSphere Web Client
You can manage vCenter Single Sign-On and the Licensing service from the vSphere Web Client.
Use the vSphere Client or CLIs instead of the vSphere Web Client to manage the following services.
n
Certificates
n
VMware Endpoint Certificate Store (VECS)
VMware, Inc. 17
Platform Services Controller Administration
n
Two-factor authentication such as Common Access Card authentication
n
Login banner
Procedure
1 Log in to a vCenter Server associated with the Platform Services Controller as a user with
administrator privileges in the local vCenter Single Sign-On domain (vsphere.local by default).
2 Select Administration and click the item that you want to manage.
Option Description
Single Sign-On Configure vCenter Single Sign-On.
n
Set policies.
n
Manage identity sources.
n
Manage the STS Signing certificate.
n
Manage SAML service providers.
n
Manage users and groups.
Licensing Configure licensing.
Use Scripts to Manage Platform Services Controller Services
Platform Services Controller includes scripts for generating CSRs, managing certificates and managing
services.
For example, you can use the certool utility to generate CSRs and to replace certificates, both for
scenarios with embedded Platform Services Controller and for scenarios with external
Platform Services Controller. See Managing Certificates with the vSphere Certificate Manager Utility.
Use the CLIs for management tasks that the Web interfaces do not support, or to create custom scripts
for your environment.
Table 1‑4. CLIs for Managing Certificates and Associated Services
CLI Description Links
certool
vecs-cli
dir-cli
Generate and manage certificates and
keys. Part of VMCA.
Manage the contents of VMware
Certificate Store instances. Part of
VMAFD.
Create and update certificates in
VMware Directory Service. Part of
VMAFD.
certool Initialization Commands Reference
vecs-cli Command Reference
dir-cli Command Reference
sso-config
service-control
VMware, Inc. 18
Utility for configuring smart card
authentication.
Command for starting, stopping, and
listing services.
Understanding vCenter Server Two-Factor
Authentication
Run this command to stop services before
running other CLI commands.
Platform Services Controller Administration
Procedure
1 Log in to the Platform Services Controller shell.
In most cases, you have to be the root or Administrator user. See Required Privileges for Running
CLIs for details.
2 Access a CLI at one of the following default locations.
The required privileges depend on the task that you want to perform. In some cases, you are
prompted for the password twice to safeguard sensitive information.
Windows
C:\Program Files\VMware\vCenter Server\vmafdd\vecs-
cli.exe
C:\Program Files\VMware\vCenter Server\vmafdd\dir-cli.exe
C:\Program Files\VMware\vCenter Server\vmcad\certool.exe
C:\Program Files\VMware\VCenter server\VMware Identity
Services\sso-config
VCENTER_INSTALL_PATH\bin\service-control
Linux
/usr/lib/vmware-vmafd/bin/vecs-cli
/usr/lib/vmware-vmafd/bin/dir-cli
/usr/lib/vmware-vmca/bin/certool
/opt/vmware/bin
On Linux, the service-control command does not require that you
specify the path.
Managing the Platform Services Controller Appliance
You can manage the Platform Services Controller appliance from the virtual appliance management
interface or from the appliance shell.
If you are using an environment with an embedded Platform Services Controller, you manage the one
appliance that includes both Platform Services Controller and vCenter Server. See vCenter Server
Appliance Configuration.
Table 1‑5. Interfaces for Managing the Platform Services Controller Appliance
Interface Description
Platform Services Controller virtual appliance management
interface (VAMI)
Platform Services Controller appliance shell Use this command-line interface to perform service
VMware, Inc. 19
Use this interface to reconfigure the system settings of a
Platform Services Controller deployment.
management operations on VMCA, VECS, and VMDIR. See
Managing Certificates with the vSphere Certificate Manager
Utility and Chapter 4 Managing Services and Certificates with
CLI Commands.
Platform Services Controller Administration
Manage the Appliance with the Platform Services Controller Virtual Appliance Management Interface
In an environment with an external Platform Services Controller, you can use the
Platform Services Controller virtual appliance management interface (VAMI) to configure the appliance
system settings. Settings include time synchronization, network settings, and SSH login settings. You can
also change the root password, join the appliance to an Active Directory domain, and leave an Active
Directory domain.
In an environment with an embedded Platform Services Controller, you manage the appliances that
include both Platform Services Controller and vCenter Server.
Procedure
1 In a Web browser, go to the Web interface at https://platform_services_controller_ip:5480.
2 If a warning message about an untrusted SSL certificate appears, resolve the issue based on
company security policy and the Web browser that you are using.
3 Log in as root.
The default root password is the virtual appliance root password that you set when deploying the
virtual appliance.
You can see the System Information page of the Platform Services Controller Appliance Management
Interface.
Manage the Appliance from the Appliance Shell
You can use service management utilities and CLIs from the appliance shell. You can use TTY1 to log in
to the console, or can use SSH to connect to the shell.
Procedure
1 Enable SSH login if necessary.
a Log in to the appliance management interface (VAMI) at https://platform_services_controller_ip:
5480.
b In the Navigator, select Access and click Edit.
c Toggle on Enable SSH Login and click OK.
You can follow the same steps to enable the Bash shell for the appliance.
2 Access the appliance shell.
n
If you have direct access to the appliance console, select Log in, and press Enter.
n
To connect remotely, use SSH or another remote console connection to start a session to the
appliance.
VMware, Inc. 20
Platform Services Controller Administration
3 Log in as root with the password that you set when you initially deployed the appliance.
If you changed the root password, use the new password.
Add a Platform Services Controller Appliance to an Active Directory Domain
If you want to add an Active Directory identity source to Platform Services Controller, you must join the
Platform Services Controller appliance to an Active Directory domain.
If you are using a Platform Services Controller instance that is installed on Windows, you can use the
domain to which that machine belongs.
Procedure
1 Using the vSphere Client, log in to a vCenter Server associated with the Platform Services Controller
as a user with administrator privileges in the local vCenter Single Sign-On domain (vsphere.local by
default).
2 Select Administration.
3 Expand Single Sign On and click Configuration.
4 Click Active Directory Domain.
5 Click Join AD, specify the domain, optional organizational unit, and user name and password, and
click JOIN.
VMware, Inc. 21
vSphere Authentication with
vCenter Single Sign-On 2
vCenter Single Sign-On is an authentication broker and security token exchange infrastructure. When a
user can authenticate to vCenter Single Sign-On, that user receives a SAML token. Going forward, the
user can use the SAML token to authenticate to vCenter services. The user can then perform the actions
that user has privileges for.
Because traffic is encrypted for all communications, and because only authenticated users can perform
the actions that they have privileges for, your environment is secure.
Starting with vSphere 6.0, vCenter Single Sign-On is part of the Platform Services Controller. The
Platform Services Controller contains the shared services that support vCenter Server and
vCenter Server components. These services include vCenter Single Sign-On, VMware Certificate
Authority, and License Service. See vCenter Server Installation and Setup for details on the
Platform Services Controller.
For the initial handshake, users authenticate with a user name and password, and solution users
authenticate with a certificate. For information on replacing solution user certificates, see Chapter 3
vSphere Security Certificates.
The next step is authorizing the users who can authenticate to perform certain tasks. In most cases, you
assign vCenter Server privileges, usually by assigning the user to a group that has a role. vSphere
includes other permission models such as global permissions. See the vSphere Security documentation.
This chapter includes the following topics:
n
Understanding vCenter Single Sign-On
n
Configuring vCenter Single Sign-On Identity Sources
n
Understanding vCenter Server Two-Factor Authentication
n
Using vCenter Single Sign-On as the Identity Provider for Another Service Provider
n
Security Token Service STS
n
Managing vCenter Single Sign-On Policies
n
Managing vCenter Single Sign-On Users and Groups
n
vCenter Single Sign-On Security Best Practices
VMware, Inc.
22
Kerberos
vSphere Web Client
1
2
3
4
5
6
VMware
Directory
Service
CA
vCenter
Server
vCenter Single
Sign-On
Platform Services Controller Administration
Understanding vCenter Single Sign-On
To effectively manage vCenter Single Sign-On, you need to understand the underlying architecture and
how it affects installation and upgrades.
vCenter Single Sign-On 6.0 Domains and Sites
(http://link.brightcove.com/services/player/bcpid2296383276001?
bctid=ref:video_sso_6_domains_sites)
How vCenter Single Sign-On Protects Your Environment
vCenter Single Sign-On allows vSphere components to communicate with each other through a secure
token mechanism.
vCenter Single Sign-On uses the following services.
n
STS (Security Token Service).
n
SSL for secure traffic.
n
Authentication of human users through Active Directory or OpenLDAP.
n
Authentication of solution users through certificates.
vCenter Single Sign-On Handshake for Human Users
The following illustration shows the handshake for human users.
Figure 2‑1. vCenter Single Sign-On Handshake for Human Users
1 A user logs in to the vSphere Client with a user name and password to access the vCenter Server
system or another vCenter service.
The user can also log in without a password and check the Use Windows session authentication
check box.
VMware, Inc. 23
Kerberos
Solution User
1
2
3
4
VMware
Directory
Service
CA
vCenter
Server
vCenter Single
Sign-On
Platform Services Controller Administration
2 The vSphere Client passes the login information to the vCenter Single Sign-On service, which checks
the SAML token of the vSphere Client. If the vSphere Client has a valid token, vCenter Single SignOn then checks whether the user is in the configured identity source (for example Active Directory).
n
If only the user name is used, vCenter Single Sign-On checks in the default domain.
n
If a domain name is included with the user name (DOMAIN\user1 or user1@DOMAIN), vCenter
Single Sign-On checks that domain.
3 If the user can authenticate to the identity source, vCenter Single Sign-On returns a token that
represents the user to the vSphere Client.
4 The vSphere Client passes the token to the vCenter Server system.
5 vCenter Server checks with the vCenter Single Sign-On server that the token is valid and not expired.
6 The vCenter Single Sign-On server returns the token to the vCenter Server system, using
thevCenter Server Authorization Framework to allow user access.
The user can now authenticate, and can view and modify any objects that the user's role has privileges
for.
Note Initially, each user is assigned the No Access role. A vCenter Server administrator must assign the
user at least to the Read Only role before the user can log in. See the vSphere Security documentation.
vCenter Single Sign-On Handshake for Solution Users
Solution users are sets of services that are used in the vCenter Server infrastructure, for example, the
vCenter Server or vCenter Server extensions. VMware extensions and potentially third-party extensions
might also authenticate to vCenter Single Sign-On.
Figure 2‑2. vCenter Single Sign-On Handshake for Solution Users
For solution users, the interaction proceeds as follows:
1 The solution user attempts to connect to a vCenter service.
2 The solution user is redirected to vCenter Single Sign-On. If the solution user is new to vCenter
Single Sign-On, it has to present a valid certificate.
VMware, Inc. 24
Platform Services Controller Administration
3 If the certificate is valid, vCenter Single Sign-On assigns a SAML token (bearer token) to the solution
user. The token is signed by vCenter Single Sign-On.
4 The solution user is then redirected to vCenter Single Sign-On and can perform tasks based on its
permissions.
5 The next time the solution user has to authenticate, it can use the SAML token to log in to
vCenter Server.
By default, this handshake is automatic because VMCA provisions solution users with certificates during
startup. If company policy requires third-party CA-signed certificates, you can replace the solution user
certificates with third-party CA-signed certificates. If those certificates are valid, vCenter Single Sign-On
assigns a SAML token to the solution user. See Use Custom Certificates With vSphere.
Supported Encryption
AES encryption, which is the highest level of encryption, is supported. The supported encryption affects
security when vCenter Single Sign-On uses Active Directory as an identity source.
It also affects security any time an ESXi host or vCenter Server is joined to Active Directory.
vCenter Single Sign-On Components
vCenter Single Sign-On includes the Security Token Service (STS), an administration server, and vCenter
Lookup Service, as well as the VMware Directory Service (vmdir). The VMware Directory Service is also
used for certificate management.
During installation, the components are deployed as part an embedded deployment, or as part of the
Platform Services Controller.
STS (Security Token
Service)
Administration server The administration server allows users with administrator privileges to
The STS service issues Security Assertion Markup Language (SAML)
tokens. These security tokens represent the identity of a user in one of the
identity source types supported byvCenter Single Sign-On. The SAML
tokens allow both human users and solution users who authenticate
successfully to vCenter Single Sign-On to use any vCenter service that
vCenter Single Sign-On supports without authenticating again to each
service.
The vCenter Single Sign-On service signs all tokens with a signing
certificate, and stores the token signing certificate on disk. The certificate
for the service itself is also stored on disk.
vCenter Single Sign-On to configure the vCenter Single Sign-On server and
manage users and groups from the vSphere Web Client. Initially, only the
user administrator@your_domain_name has these privileges. In vSphere
5.5, this user was administrator@vsphere.local. With vSphere 6.0, you can
VMware, Inc. 25
Platform Services Controller Administration
change the vSphere domain when you install vCenter Server or deploy the
vCenter Server Appliance with a new Platform Services Controller. Do not
name the domain name with your Microsoft Active Directory or OpenLDAP
domain name.
VMware Directory
Service (vmdir)
The VMware Directory service (vmdir) is associated with the domain you
specify during installation and is included in each embedded deployment
and on each Platform Services Controller. This service is a multi-tenanted,
multi-mastered directory service that makes an LDAP directory available on
port 389. The service still uses port 11711 for backward compatibility with
vSphere 5.5 and earlier systems.
If your environment includes more than one instance of the
Platform Services Controller, an update of vmdir content in one vmdir
instance is propagated to all other instances of vmdir.
Starting with vSphere 6.0, the VMware Directory Service stores not only
vCenter Single Sign-On information but also certificate information.
Identity Management
Handles identity sources and STS authentication requests.
Service
How vCenter Single Sign-On Aects Installation
Starting with version 5.1, vSphere includes a vCenter Single Sign-On service as part of the
vCenter Server management infrastructure. This change affects vCenter Server installation.
Authentication with vCenter Single Sign-On makes vSphere more secure because the vSphere software
components communicate with each other by using a secure token exchange mechanism, and all other
users also authenticate with vCenter Single Sign-On.
Starting with vSphere 6.0, vCenter Single Sign-On is either included in an embedded deployment, or part
of the Platform Services Controller. The Platform Services Controller contains all of the services that are
necessary for the communication between vSphere components including vCenter Single Sign-On,
VMware Certificate Authority, VMware Lookup Service, and the licensing service.
The order of installation is important.
First installation If your installation is distributed, you must install the
Platform Services Controller before you install vCenter Server or deploy the
vCenter Server Appliance. For an embedded deployment the correct
installation order happens automatically.
Subsequent
installations
For approximately up to four vCenter Server instances, one
Platform Services Controller can serve your entire vSphere environment.
You can connect the new vCenter Server instances to the same
Platform Services Controller. For more than approximately four
vCenter Server instances, you can install an additional
VMware, Inc. 26
Platform Services Controller Administration
Platform Services Controller for better performance. The vCenter Single
Sign-On service on each Platform Services Controller synchronizes
authentication data with all other instances. The precise number depends
on how heavily the vCenter Server instances are being used and on other
factors.
For detailed information about the deployment models, the advantages and disadvantages of each
deployment type, see vCenter Server Installation and Setup.
Using vCenter Single Sign-On with vSphere
When a user logs in to a vSphere component or when a vCenter Server solution user accesses another
vCenter Server service, vCenter Single Sign-On performs authentication. Users must be authenticated
with vCenter Single Sign-On and have the necessary privileges for interacting with vSphere objects.
vCenter Single Sign-On authenticates both solution users and other users.
n
Solution users represent a set of services in your vSphere environment. During installation, VMCA
assigns a certificate to each solution user by default. The solution user uses that certificate to
authenticate to vCenter Single Sign-On. vCenter Single Sign-On gives the solution user a SAML
token, and the solution user can then interact with other services in the environment.
n
When other users log in to the environment, for example, from the vSphere Client, vCenter Single
Sign-On prompts for a user name and password. If vCenter Single Sign-On finds a user with those
credentials in the corresponding identity source, it assigns the user a SAML token. The user can now
access other services in the environment without being prompted to authenticate again.
Which objects the user can view, and what a user can do, is usually determined by vCenter Server
permission settings. vCenter Server administrators assign those permissions from the Permissions
interface in the vSphere Web Client or the vSphere Client, not through vCenter Single Sign-On. See
the vSphere Security documentation.
vCenter Single Sign-On and vCenter Server Users
Users authenticate to vCenter Single Sign-On by entering their credentials on the login page. After
connecting to vCenter Server, authenticated users can view all vCenter Server instances or other
vSphere objects for which their role gives them privileges. No further authentication is required.
After installation, the administrator of the vCenter Single Sign-On domain, administrator@vsphere.local
by default, has administrator access to both vCenter Single Sign-On and vCenter Server. That user can
then add identity sources, set the default identity source, and manage users and groups in the vCenter
Single Sign-On domain.
VMware, Inc. 27
Platform Services Controller Administration
All users that can authenticate to vCenter Single Sign-On can reset their password, even if the password
has expired, as long as they know the password. See Change Your vCenter Single Sign-On Password.
Only vCenter Single Sign-On administrators can reset the password for users who no longer have their
password.
Note When you change the password for your SDDC from the vSphere Client, the new password is not
synchronized with the password that is displayed on the Default vCenter Credentials page. That page
shows only the Default credentials. If you change the credentials, you are responsible for keeping track of
the new password. Contact Technical Support and request a password change.
vCenter Single Sign-On Administrator Users
The vCenter Single Sign-On administrative interface is accessible from either the vSphere Client or the
vSphere Web Client.
To configure vCenter Single Sign-On and manage vCenter Single Sign-On users and groups, the user
administrator@vsphere.local or a user in the vCenter Single Sign-On Administrators group must log in to
the vSphere Client . Upon authentication, that user can access the vCenter Single Sign-On administration
interface from the vSphere Client and manage identity sources and default domains, specify password
policies, and perform other administrative tasks.
Note You cannot rename the vCenter Single Sign-On administrator user, which is
administrator@vsphere.local by default or administrator@mydomain if you specified a different domain
during installation. For improved security, consider creating additional named users in the vCenter Single
Sign-On domain and assigning them administrative privileges. You can then stop using the administrator
account.
ESXi Users
Standalone ESXi hosts are not integrated with vCenter Single Sign-On or with the
Platform Services Controller. See vSphere Security for information on adding an ESXi host to Active
Directory.
If you create local ESXi users for a managed ESXi host with the VMware Host Client, vCLI, or PowerCLI,
vCenter Server is not aware those users. Creating local users can therefore result in confusion, especially
if you use the same user names. Users who can authenticate to vCenter Single Sign-On can view and
manage ESXi hosts if they have the corresponding permissions on the ESXi host object.
Note Manage permissions for ESXi hosts through vCenter Server if possible.
How to Log In to vCenter Server Components
You can log in by connecting to the vSphere Client or the vSphere Web Client.
When a user logs in to a vCenter Server system from the vSphere Client, the login behavior depends on
whether the user is in the domain that is set as the default identity source.
n
Users who are in the default domain can log in with their user name and password.
VMware, Inc. 28
Platform Services Controller Administration
n
Users who are in a domain that has been added to vCenter Single Sign-On as an identity source but
is not the default domain can log in to vCenter Server but must specify the domain in one of the
following ways.
n
Including a domain name prefix, for example, MYDOMAIN\user1
n
Including the domain, for example, user1@mydomain.com
n
Users who are in a domain that is not a vCenter Single Sign-On identity source cannot log in to
vCenter Server. If the domain that you add to vCenter Single Sign-On is part of a domain hierarchy,
Active Directory determines whether users of other domains in the hierarchy are authenticated or not.
If your environment includes an Active Directory hierarchy, see VMware Knowledge Base article 2064250
for details on supported and unsupported setups.
Note Starting with vSphere 6.0 Update 2, two-factor authentication is supported. See Understanding
vCenter Server Two-Factor Authentication.
Groups in the vCenter Single Sign-On Domain
The vCenter Single Sign-On domain (vsphere.local by default) includes several predefined groups. Add
users to one of those groups to enable them to perform the corresponding actions.
See Managing vCenter Single Sign-On Users and Groups.
For all objects in the vCenter Server hierarchy, you can assign permissions by pairing a user and a role
with the object. For example, you can select a resource pool and give a group of users read privileges to
that resource pool object by giving them the corresponding role.
For some services that are not managed by vCenter Server directly, membership in one of the vCenter
Single Sign-On groups determines the privileges. For example, a user who is a member of the
Administrator group can manage vCenter Single Sign-On. A user who is a member of the CAAdmins
group can manage the VMware Certificate Authority, and a user who is in the
LicenseService.Administrators group can manage licenses.
The following groups are predefined in vsphere.local.
Note Many of these groups are internal to vsphere.local or give users high-level administrative
privileges. Add users to any of these groups only after careful consideration of the risks.
Note Do not delete any of the predefined groups in the vsphere.local domain. If you do, errors with
authentication or certificate provisioning might result.
Table 2‑1. Groups in the vsphere.local Domain
Privilege Description
Users Users in the vCenter Single Sign-On domain (vsphere.local by default).
SolutionUsers Solution users group vCenter services. Each solution user authenticates individually to
vCenter Single Sign-On with a certificate. By default, VMCA provisions solution users
with certificates. Do not add members to this group explicitly.
VMware, Inc. 29
Platform Services Controller Administration
Table 2‑1. Groups in the vsphere.local Domain (Continued)
Privilege Description
CAAdmins Members of the CAAdmins group have administrator privileges for VMCA. Do not add
members to this group unless you have compelling reasons.
DCAdmins Members of the DCAdmins group can perform Domain Controller Administrator actions
on VMware Directory Service.
Note Do not manage the domain controller directly. Instead, use the vmdir CLI or
vSphere Web Client to perform corresponding tasks.
SystemConfiguration.BashShellAdministr
ators
ActAsUsers Members of Act-As Users are allowed to get Act-As tokens from vCenter Single Sign-
ExternalIPDUsers This internal group is not used by vSphere. VMware vCloud Air requires this group.
SystemConfiguration.Administrators Members of the SystemConfiguration.Administrators group can view and manage the
DCClients This group is used internally to allow the management node access to data in VMware
ComponentManager.Administrators Members of the ComponentManager.Administrators group can invoke component
LicenseService.Administrators Members of LicenseService.Administrators have full write access to all licensing-related
This group is available only for vCenter Server Appliance deployments.
A user in this group can enable and disable access to the BASH shell. By default a user
who connects to the vCenter Server Appliance with SSH can access only commands in
the restricted shell. Users who are in this group can access the BASH shell.
On.
system configuration in the vSphere Web Client. These users can view, start and restart
services, troubleshoot services, see the available nodes, and manage those nodes.
Directory Service.
Note Do not modify this group. Any changes might compromise your certificate
infrastructure.
manager APIs that register or unregister services, that is, modify services. Membership
in this group is not necessary for read access on the services.
data and can add, remove, assign, and unassign serial keys for all product assets
registered in the licensing service.
Administrators Administrators of the VMware Directory Service (vmdir). Members of this group can
perform vCenter Single Sign-On administration tasks. Do not add members to this
group unless you have compelling reasons and understand the consequences.
Configuring vCenter Single Sign-On Identity Sources
When a user logs in with just a user name, vCenter Single Sign-On checks in the default identity source
whether that user can authenticate. When a user logs in and includes the domain name in the login
screen, vCenter Single Sign-On checks the specified domain if that domain has been added as an
identity source. You can add identity sources, remove identity sources, and change the default.
You configure vCenter Single Sign-On from the vSphere Client. To configure vCenter Single Sign-On, you
must have vCenter Single Sign-On administrator privileges. Having vCenter Single Sign-On administrator
privileges is different from having the Administrator role on vCenter Server or ESXi. In a new installation,
only the vCenter Single Sign-On administrator (administrator@vsphere.local by default) can authenticate
to vCenter Single Sign-On.
VMware, Inc. 30
Loading...