Before you enable smart card authentication, you must create a trusted client CA store and potentially configure the reverse proxy on the vCenter Server system.

Reverse proxy configuration is required in vSphere 7.0 through vSphere 7.0 Update 3h. Starting with vSphere 7.0 Update 3i, you no longer need to configure the reverse proxy (Step 5).

The configuration uses port 3128, which is set and opened automatically on vCenter Server (as of vSphere 7.0 Update 3i).

Prerequisites

Copy the certificate authority (CA) certificates to the vCenter Server system to use to create the trusted client CA store. This store must contain the trusted certificates issued by the CA for the client certificate. The client here is the browser from which the smart card process prompts the end user for information.

Note: vCenter Server 7.0 supports the HTTP/2 protocol. All modern browsers and applications, including the vSphere Client, connect to vCenter Server using HTTP/2. However, smart card authentication requires use of the HTTP/1.1 protocol. Enabling smart card authentication disables Application-Layer Protocol Negotiation (ALPN, https://tools.ietf.org/html/rfc7301) for HTTP/2, effectively preventing the browser from using HTTP/2. Applications that use only HTTP/2, without relying on ALPN, continue to work.

To complete smart card authentication, clients must be permitted access to port 3128/TCP on the appropriate vCenter Server. Check your perimeter firewalls to ensure that access has been granted.

The connection is redirected to port 3128 during smart card login. Port 3128 only supports pre-configured mutual authentication connections and it is not intended as a direct browser endpoint. It does not return an HSTS header. If your vulnerability scanner reports this behavior, it can be safely ignored.

Procedure

  1. Log in to the vCenter Server shell as the root user.
  2. Create a trusted client CA store on the vCenter Server using the exact path and PEM name, /usr/lib/vmware-sso/vmware-sts/conf/clienttrustCA.pem.
    Warning: You must use the exact path and PEM name, /usr/lib/vmware-sso/vmware-sts/conf/clienttrustCA.pem.
    1. Change to the /usr/lib/vmware-sso/ directory.
      cd /usr/lib/vmware-sso/
    2. To create the trusted client CA store, run the openssl command, taking as input your trusted signing certificate. For example, the following command creates the clienttrustCA.pem file from the xyzCompanySmartCardSigningCA.cer trusted signing certificate.
      openssl x509 -inform PEM -in xyzCompanySmartCardSigningCA.cer > /usr/lib/vmware-sso/vmware-sts/conf/clienttrustCA.pem
      You can add additional certificates to the trusted client CA store by running the openssl command with the ">>" operator to append the additional certificate. For example, the following command appends xyzCompanySmartCardSigningCA2.cer to the existing clienttrustCA.pem file.
      openssl x509 -inform PEM -in xyzCompanySmartCardSigningCA2.cer >> /usr/lib/vmware-sso/vmware-sts/conf/clienttrustCA.pem
  3. To validate that the contents of the clienttrustCA.pem file contain the trusted CAs that signed the smart card certificates, run the keytool command.
    For example:
    keytool -printcert -file /usr/lib/vmware-sso/vmware-sts/conf/clienttrustCA.pem | grep -i "owner\|sha1\|issuer:\|valid"
  4. Verify that the CA names match the Smart Card User Certificate Chain.
    For example, you can run the following command.
    sso-config.sh -get_authn_policy -t vsphere.local | grep trusted
    The root and intermediate certificates must have matching thumbprints, names, valid dates, and so on.
    Note: You can also use the vSphere Client ( Single Sign On > Configuration > Smart Card Configuration > Smart Card Authentication > Trusted CA Certificates).
  5. For vSphere versions prior to 7.0 Update 3i, make a backup of the /etc/vmware-rhttpproxy/config.xml file that includes the reverse proxy definition, open config.xml in an editor, and make and save the following changes.
    <http>
    <maxConnections> 2048 </maxConnections>
    <requestClientCertificate>true</requestClientCertificate>
    <clientCertificateMaxSize>4096</clientCertificateMaxSize>
    <clientCAListFile>/usr/lib/vmware-sso/vmware-sts/conf/clienttrustCA.pem</clientCAListFile>
    </http>
    The config.xml file includes some of these elements. Uncomment, update, or add the elements as needed.
    Note: This step is no longer necessary starting with vSphere 7.0 Update 3i.
  6. Restart the appropriate service.
    vSphere Version Action
    Prior to 7.0 Update 3i Restart the reverse proxy service.
    /usr/lib/vmware-vmon/vmon-cli --restart rhttpproxy
    7.0 Update 3i and later Restart the STS service.
    /usr/lib/vmware-vmon/vmon-cli --restart sts