Enabling certificate authentication for a VMware Identity Manager on-premises deployment requires setting SSL pass-through at the load balancer. In a DMZ deployment scenario, where the VMware Identity Manager service is deployed in the DMZ and the VMware Identity Manager connector is deployed in the internal network, if you do not want to allow inbound access to the connector, you can enable certificate authentication on the connector that is embedded in the VMware Identity Manager service.

In this scenario, use the embedded connector for certificate authentication only. Use the external connector for all other authentication methods.

To use the embedded connector for certificate authentication, you create a new Workspace identity provider for your directory, associate it with the embedded connector, and enable the Certificate Authentication adapter on the embedded connector. You can then configure your policies to use the certificate authentication method. Policies can also be set per app.

You also need to configure an SSL pass-through port for certificate authentication so that the SSL handshake is between the end user and the embedded connector. You set the port and upload the SSL certificate for it on the Appliance Settings pages and enable SSL pass-through for the port on the load balancer.

Other traffic continues to use port 443.

Note: This feature does not support local directories. Also, this feature is applicable only for on-premises DMZ deployments and does not apply to any other installation scenarios.

Deployment Requirements

  • On the load balancer in front of the VMware Identity Manager service appliance, enable SSL pass-through on the port you configure as the SSL pass-through port for certificate authentication. The default port is 7443.

    The port must be in the range 1024-65535 and cannot be 8443, which is the admin port.

  • Verify that the port is open on the load balancer or firewall.

Prerequisites

For the SSL pass-through port on the VMware Identity Manager server, obtain a signed SSL certificate from a public Certificate Authority. The hostname on the certificate must match the load balancer host name. The certificate must also be trusted by the end user.

Procedure

  1. Set the SSL pass-through port for certificate authentication.
    1. In the administration console, click the Appliance Settings tab.
    2. Click Manage Configuration and enter the admin user password.
    3. In the left pane, click Install SSL Certificates and select the Passthrough Certificate tab.
    4. Enter the required information.
      Option Description
      Port Enter the port you want to use as the SSL pass-through port for certificate authentication. The default port is 7443.

      The port must be in the range 1024-65535 and cannot be 8443, which is the admin port.

      Note: The port is available only if a certificate is added.
      SSL Certificate Chain Copy and paste the SSL certificate. Include the entire certificate chain, in the following order:

      Server certificate

      Intermediate certificate

      Root certificate

      For each certificate, copy everything between and including the lines -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----.

      Certificates must be in the PEM format.

      Private Key Copy and paste the private key.
    5. Click Add.
      The server is restarted.
  2. Create a new Workspace identity provider.
    1. Click the Identity & Access Management tab, then click the Identity Providers tab.
    2. Click Add Identity Provider and select Create Workspace IDP.
    3. Enter the information for the new identity provider.
      Option Description
      Identity Provider Name Enter a name for the identity provider.
      Users Select the directory for which you want to enable certificate authentication.
      Note: This feature does not support local directories.
      Connector(s)
      1. From the Add a Connector drop-down menu, select the embedded connector. The embedded connector has the same hostname as the service.
      2. Deselect the Bind to AD check box.
      3. Click Add Connector.
      Important: Do not select the Bind to AD option.
      Network Select the network ranges from which the identity provider can be accessed.
    4. Click Add.
  3. Set the port for the embedded connector.
    1. Click the Identity & Access Management tab and click Setup.
    2. In the Connectors page, click the new Workspace identity provider you created for the embedded connector.
    3. In the IdP Hostname text box, change the value from hostname to hostname:port, where port is the custom port you configured for certificate authentication in step 1.
    4. Click Save.
  4. Enable the CertificateAuthAdapter on the embedded connector.
    1. Click Setup.
    2. In the Connectors page, find the embedded connector.
      The embedded connector has the same hostname as the service.
    3. In the embedded connector row, click the link in the Worker column.
      Each worker is associated with a directory. If multiple workers are listed, click the worker link for the directory for which you want to enable certificate authentication.
    4. Click the Auth Adapters tab.
    5. Click CertificateAuthAdapter.
    6. Configure and enable the adapter. See VMware Identity Manager Administration for information.
    7. Click Save.
  5. Verify that the Identity Providers page displays the Certificate Authentication method.
    1. Click Manage, then click the Identity Providers tab.
    2. Verify that Certificate Authentication appears in the Authentication Methods column for the new identity provider that you created.
  6. Configure policies to use the certificate authentication method according to your needs.
    1. Click Manage, then click the Identity Providers tab.
    2. Click the policy to edit.
    3. Configure policy rules to use the certificate authentication method as needed.
    See VMware Identity Manager Administration for more information about creating policies.