You can use the sso-config utility to configure smart card authentication from the command line. The utility supports all smart card configuration tasks.

Before you begin

  • Verify that your environment uses Platform Services Controller version 6.0 Update 2 or later, and that you use vCenter Server version 6.0 or later. Upgrade version 5.5 nodes to version 6.0.

  • Verify that an enterprise Public Key Infrastructure (PKI) is set up in your environment, and that certificates meet the following requirements:

    • A User Principal Name (UPN) that corresponds to an Active Directory account in the Subject Alternative Name (SAN) extension.

    • Client Authentication must be specified in the Application Policy or Enhanced Key Usage field of a certificate, or the browser does not show that certificate.

  • Verify that the Platform Services Controller Web interface certificate is trusted by the end user’s workstation; otherwise, the browser does not attempt the authentication.

  • Configure an Active Directory identity source and add it to vCenter Single Sign-On as an identity source.

  • Assign the vCenter Server Administrator role to one or more users in the Active Directory identity source. Those users can then authenticate because they are in the Active Directory group, and they have vCenter Server administrator privileges. The administrator@vsphere.local user cannot perform smart card authentication.

  • If you want to use the Platform Services Controller HA solution in your environment, complete all HA configuration before you set up smart card authentication. See VMware Knowledge Base article 2112085 (Windows) or 2113315 (vCenter Server Appliance).

About this task

When you configure smart card authentication from the command line, you always set up the Platform Services Controller using the sso-config command first. Then you can perform other tasks by using the Platform Services Controller Web interface.

  1. Configure the Platform Services Controller so that the Web browser requests submission of the smart card certificate when the user logs in.

  2. Configure the authentication policy. You can configure the policy by using the sso-config script or the Platform Services Controller Web interface. Configuration of supported authentication types and revocation settings is stored in VMware Directory Service and replicated across all Platform Services Controller instances in a vCenter Single Sign-On domain.

If smart card authentication is enabled and other authentication methods are disabled, users are then required to log in using smart card authentication.

If login from the vSphere Web Client is not working, and if user name and password authentication is turned off, a root or administrator user can turn user name and password authentication back on from the Platform Services Controller command line by running the following command. The example is for Windows; for Linux, use sso-config.sh.

sso-config.bat -set_authn_policy -pwdAuthn true

You can find the sso-config script at the following locations:

Windows

C:\Program Files\VMware\VCenter server\VMware Identity Services\sso-config.bat

Linux

/opt/vmware/bin/sso-config.sh

Procedure

  1. Obtain the certificates and copy them to a folder that the sso-config utility can see.

    Option

    Description

    Windows

    Log in to the Platform Services Controller Windows installation and use WinSCP or a similar utility to copy the files.

    Appliance

    1. Log in to the appliance console, either directly or by using SSH.

    2. Enable the appliance shell, as follows.

      shell.set --enabled True
      shell
      chsh -s "/bin/bash" root
      csh -s "bin/appliance/sh" root
    3. Use WinSCP or a similar utility to copy the certificates to the /usr/lib/vmware-sso/vmware-sts/conf on the Platform Services Controller.

    4. Optionally disable the appliance shell, as follows.

      chsh -s "bin/appliancesh" root
  2. On each Platform Services Controller node, configure smart card authentication settings by using the sso-config CLI.
    1. Go to the directory where the sso-config script is located.

      Option

      Description

      Windows

      C:\Program Files\VMware\VCenter server\VMware Identity Services

      Appliance

      /opt/vmware/bin

    2. Run the following command:
      sso-config.[bat|sh] -set_tc_cert_authn -switch true -cacerts  [FirstTrustedCA.cer,SecondTrustedCA.cer,...]  -t tenant
      

      For example:

      sso-config.bat -set_tc_cert_authn -switch true -cacerts MySmartCA1.cer -t vsphere.local
      
    3. Restart the virtual or physical machine.
      service-control --stop vmware-stsd
      service-control --start vmware-stsd
      
  3. To enable smart cart authentication for VMware Directory Service (vmdir), run the following command.
    sso-config.[bat|sh] -set_authn_policy -certAuthn true -cacerts first_trusted_cert.cer,second_trusted_cert.cer  -t tenant
    

    For example:

    sso-config.[bat|sh] -set_authn_policy -certAuthn true -cacerts MySmartCA1.cer,MySmartCA2.cer  -t vsphere.local
    

    If you specify multiple certificates, spaces between certificates are not allowed.

  4. To disable all other authentication methods, run the following commands.
    sso-config.sh -set_authn_policy -pwdAuthn false -t vsphere.local
    sso-config.sh -set_authn_policy -winAuthn false -t vsphere.local
    sso-config.sh -set_authn_policy -securIDAuthn false -t vsphere.local

    You can use these commands to enable and disable different authentication methods as needed.

  5. (Optional) : To set a certificate policies white list, run the following command.
    sso-config.[bat|sh] -set_authn_policy -certPolicies policies

    To specify multiple policies, separate them with a command, for example:

    sso-config.bat -set_authn_policy -certPolicies 2.16.840.1.101.2.1.11.9,2.16.840.1.101.2.1.11.19

    This white list specifies object IDs of policies that are allowed in the certificate's certificate policy extension. An X509 certificate can have a Certificate Policy extension.

  6. (Optional) : To list configuration information, run the following command.
    sso-config.[bat|sh] -get_authn_policy -t tenantName