The vCenter Single Sign-On server includes a Security Token Service (STS). The Security Token Service is a Web service that issues, validates, and renews security tokens. You can manually refresh the existing Security Token Service certificate from the vSphere Web Client when the certificate expires or changes.

Before you begin

Copy the certificate that you just added to the java keystore from the Platform Services Controller to your local workstation.

Platform Services Controller appliance

certificate_location/keys/root-trust.jks For example: /keys/root-trust.jks

For example:

/root/newsts/keys/root-trust.jks

Windows installation

certificate_location\root-trust.jks

For example:

C:\Program Files\VMware\vCenter Server\jre\bin\root-trust.jks

About this task

To acquire a SAML token, a user presents the primary credentials to the Secure Token Server (STS). The primary credentials depend on the type of user:

Solution user

Valid certificate

Other users

User name and password available in a vCenter Single Sign-On identity source.

The STS authenticates the user using the primary credentials, and constructs a SAML token that contains user attributes. The STS service signs the SAML token with its STS signing certificate, and then assigns the token to a user. By default, the STS signing certificate is generated by VMCA.

After a user has a SAML token, the SAML token is sent as part of that user's HTTP requests, possibly through various proxies. Only the intended recipient (service provider) can use the information in the SAML token.

You can replace the existing STS signing certificate vSphere Web Client if your company policy requires it, or if you want to update an expired certificate.

Caution:

Do not replace the file in the filesystem. If you do, errors that are unexpected and difficult to debug result.

Note:

After you replace the certificate, you must restart the node to restart both the vSphere Web Client service and the STS service.

Procedure

  1. Log in to the vSphere Web Client as administrator@vsphere.local or as another user with vCenter Single Sign-On administrator privileges.

    Users with vCenter Single Sign-On administrator privileges are in the Administrators group in the vsphere.local domain.

  2. Select the Certificates tab, then the STS Signing subtab, and click the Add STS Signing Certificate icon.
  3. Add the certificate.
    1. Click Browse to browse to the key store JKS file that contains the new certificate and click Open.
    2. Type the password when prompted.
    3. Click the top of the STS alias chain and click OK.
    4. Type the password again when prompted
  4. Click OK.
  5. Restart the Platform Services Controller node to start both the STS service and the vSphere Web Client.

    Before the restart, authentication does not work correctly so the restart is essential.