For multiple VMware Identity Manager virtual appliances deployed in a cluster, ensure that the following requirements are met.
Guidelines to Create a Certificate for VMware Identity Manager 3.3.4 and Later
- Generate a Certificate Signing Request (CSR) and obtain a valid, signed SSL certificate from a certificate authority (CA). The certificate can be either a PEM or PFX file.
- For the Common Name part of the Subject DN, use the fully qualified domain name (FQDN) that users use to access the VMware Identity Manager service. If the VMware Identity Manager appliance is behind a load balancer, this FQDN name is the load balancer server name.
- If SSL is not terminated on the load balancer, the SSL certificate used by the service must include Subject Alternative Names (SANs) for each of the FQDNs in the VMware Identity Manager cluster. Including the SAN enables the nodes within the cluster to make requests to each other. Also include a SAN for the FQDN host name that users use to access the VMware Identity Manager service, in addition to using it for the Common Name, because some browsers require it.
The Attributes to Use When Using Certificates with VMware Identity Manager 3.3.4 and Later
Cluster Type |
Recommendations and Support |
Cluster with Single Tenant Mode |
Recommended |
- Wildcard CA certificate that matches the load balancer and nodes domain
|
Supported |
- Wildcard self-signed certificate that matches the load balancer and nodes domain
- Self-signed certificate with load balancer and nodes FQDN of host SANs added
|
|
Cluster with Multi-Tenancy Enabled |
Recommended |
- Wildcard CA certificate that matches the load balancer and nodes domain
|
Supported |
- Wildcard self-signed certificate that matches the load balancer and nodes domain
- Self-signed certificate with load balancer, nodes, and all the tenant alias hostname SANs added
|
|