Before you enable smart card authentication, you have to configure the reverse proxy on the Platform Services Controller system. If your environment uses an embedded Platform Services Controller, you perform this task on the system where both vCenter Server and Platform Services Controller run.
Reverse proxy configuration is required in vSphere 6.5 and later.
Prerequisites
Copy the CA certificates to the Platform Services Controller system.
Procedure
- Log in to the Platform Services Controller.
| OS |
Description |
| Appliance |
Log in to the appliance shell as the root user. |
| Windows |
Log in to a Windows command prompt as an Administrator user. |
- Create a trusted client CA store.
This store will contain the trusted issuing CA's certificates for client certificate. The client here is the browser from which the smart card process prompts the end user for information.
The following example shows how you create a certificate store on the Platform Services Controller appliance.
For a single certificate:
cd /usr/lib/vmware-sso/
openssl x509 -inform PEM -in xyzCompanySmartCardSigningCA.cer > /usr/lib/vmware-sso/vmware-sts/conf/clienttrustCA.pem
For multiple certificates:
cd /usr/lib/vmware-sso/
openssl x509 -inform PEM -in xyzCompanySmartCardSigningCA.cer >> /usr/lib/vmware-sso/vmware-sts/conf/clienttrustCA.pem
Note: On
Platform Services Controller on Windows, use
C:\ProgramData\VMware\vCenterServer\runtime\VMwareSTSService\conf\ and change the command to use backward slash.
- Make a backup of the config.xml file that includes the reverse proxy definition, and open config.xml in an editor.
| OS |
Description |
| Appliance |
/etc/vmware-rhttpproxy/config.xml |
| Windows |
C:\ProgramData\VMware\vCenterServer\cfg\vmware-rhttpproxy\config.xml |
- Make the following changes and save the file.
<http>
<maxConnections> 2048 </maxConnections>
<requestClientCertificate>true</requestClientCertificate>
<clientCertificateMaxSize>4096</clientCertificateMaxSize>
<clientCAListFile>/usr/lib/vmware-sso/vmware-sts/conf/clienttrustCA.pem</clientCAListFile>
</http>
The
config.xml file includes some of these elements. Uncomment, update, or add the elements as needed.
- Restart the service.
| OS |
Description |
| Appliance |
/usr/lib/vmware-vmon/vmon-cli --restart rhttpproxy
|
| Windows |
Restart the operating system, or restart the VMware HTTP Reverse Proxy by following these steps:
- Open an elevated command prompt.
- Run the following commands:
cd C:\Program Files\VMware\vCenter Server\bin
service-control --stop vmware-rhttpproxy
service-control --start vmware-rhttpproxy
|
