Before you activate smart card authentication, you must configure the vCenter Server to request client certificates.

The configuration uses port 3128, which is set and opened automatically on vCenter Server.

Prerequisites

Copy the certificate authority (CA) certificates to the vCenter Server system to use to create the trusted client CA store. This store must contain the trusted certificates issued by the CA for the client certificate. The client here is the browser from which the smart card process prompts the end user for information.

Note: vCenter Server 7.0 supports the HTTP/2 protocol. All modern browsers and applications, including the vSphere Client, connect to vCenter Server using HTTP/2. However, smart card authentication requires use of the HTTP/1.1 protocol. Activating smart card authentication deactivates Application-Layer Protocol Negotiation (ALPN, https://tools.ietf.org/html/rfc7301) for HTTP/2, effectively preventing the browser from using HTTP/2. Applications that use only HTTP/2, without relying on ALPN, continue to work.

To complete smart card authentication, clients must be permitted access to port 3128/TCP on the appropriate vCenter Server. Check your perimeter firewalls to ensure that access has been granted.

The connection is redirected to port 3128 during smart card login. Port 3128 only supports pre-configured mutual authentication connections and it is not intended as a direct browser endpoint. It does not return an HSTS header. If your vulnerability scanner reports this behavior, it can be safely ignored.

Procedure

  1. Log in to the vCenter Server shell as the root user.
  2. Create a trusted client CA store on the vCenter Server using the exact path and PEM name, /usr/lib/vmware-sso/vmware-sts/conf/clienttrustCA.pem.
    Warning: You must use the exact path and PEM name, /usr/lib/vmware-sso/vmware-sts/conf/clienttrustCA.pem.
    1. Change to the /usr/lib/vmware-sso/ directory.
      cd /usr/lib/vmware-sso/
    2. To create the trusted client CA store, run the openssl command, taking as input your trusted signing certificate. For example, the following command creates the clienttrustCA.pem file from the xyzCompanySmartCardSigningCA.cer trusted signing certificate.
      openssl x509 -inform PEM -in xyzCompanySmartCardSigningCA.cer > /usr/lib/vmware-sso/vmware-sts/conf/clienttrustCA.pem
      You can add additional certificates to the trusted client CA store by running the openssl command with the ">>" operator to append the additional certificate. For example, the following command appends xyzCompanySmartCardSigningCA2.cer to the existing clienttrustCA.pem file.
      openssl x509 -inform PEM -in xyzCompanySmartCardSigningCA2.cer >> /usr/lib/vmware-sso/vmware-sts/conf/clienttrustCA.pem
  3. To validate that the contents of the clienttrustCA.pem file contain the trusted CAs that signed the smart card certificates, run the keytool command.
    For example:
    keytool -printcert -file /usr/lib/vmware-sso/vmware-sts/conf/clienttrustCA.pem | grep -i "owner\|sha1\|issuer:\|valid"
  4. Verify that the CA names match the Smart Card User Certificate Chain.
    For example, you can run the following command.
    sso-config.sh -get_authn_policy -t vsphere.local | grep trusted
    The root and intermediate certificates must have matching thumbprints, names, valid dates, and so on.
    Note: You can also use the vSphere Client ( Single Sign On > Configuration > Smart Card Configuration > Smart Card Authentication > Trusted CA Certificates).
  5. Restart the STS service.
    service-control --restart sts