For multiple VMware Identity Manager virtual appliances deployed in a cluster, ensure that the following requirements are met.
Guidelines to Create a Certificate for VMware Identity Manager 3.3.4 and Later
- Generate a Certificate Signing Request (CSR) and obtain a valid, signed SSL certificate from a certificate authority (CA). The certificate can be either a PEM or PFX file.
- For the Common Name part of the Subject DN, use the fully qualified domain name (FQDN) that users use to access the VMware Identity Manager service. If the VMware Identity Manager appliance is behind a load balancer, this FQDN name is the load balancer server name.
- If SSL is not terminated on the load balancer, the SSL certificate used by the service must include Subject Alternative Names (SANs) for each of the FQDNs in the VMware Identity Manager cluster. Including the SAN enables the nodes within the cluster to make requests to each other. Also include a SAN for the FQDN host name that users use to access the VMware Identity Manager service, in addition to using it for the Common Name, because some browsers require it.
Note:
LCM based clusters only support SSL Terminated and don't support SSL Passthrough.
The Attributes to Use When Using Certificates with VMware Identity Manager 3.3.4 and Later
Cluster Type | Recommendations and Support | ||||
---|---|---|---|---|---|
Cluster with Single Tenant Mode |
|
||||
Cluster with Multi-Tenancy Enabled |
|