Before you activate smart card authentication, you must configure the reverse proxy on the vCenter Server system.

Reverse proxy configuration is required in vSphere 6.5 and later.

The configuration uses port 3128, which is set and opened automatically.

Prerequisites

Copy the certificate authority (CA) certificates to the vCenter Server system.

Note: vCenter Server 7.0 supports the HTTP/2 protocol. All modern browsers and applications, including the vSphere Client, connect to vCenter Server using HTTP/2. However, smart card authentication requires use of the HTTP/1.1 protocol. Activating smart card authentication deactivates Application-Layer Protocol Negotiation (ALPN, https://tools.ietf.org/html/rfc7301) for HTTP/2, effectively preventing the browser from using HTTP/2. Applications that use only HTTP/2, without relying on ALPN, continue to work.

Procedure

  1. Log in to the vCenter Server shell as the root user.
  2. Create a trusted client CA store.
    This store contains the trusted certificates issued by the CA for client certificate. The client here is the browser from which the smart card process prompts the end user for information.

    The following example shows how you create a certificate store on the vCenter Server.

    For a single certificate:
    cd /usr/lib/vmware-sso/
    openssl x509 -inform PEM -in xyzCompanySmartCardSigningCA.cer > /usr/lib/vmware-sso/vmware-sts/conf/clienttrustCA.pem

    For multiple certificates:

    cd /usr/lib/vmware-sso/
    openssl x509 -inform PEM -in xyzCompanySmartCardSigningCA.cer >> /usr/lib/vmware-sso/vmware-sts/conf/clienttrustCA.pem
  3. Make a backup of the /etc/vmware-rhttpproxy/config.xml file that includes the reverse proxy definition, and open config.xml in an editor.
  4. Make the following changes and save the file.
    <http>
    <maxConnections> 2048 </maxConnections>
    <requestClientCertificate>true</requestClientCertificate>
    <clientCertificateMaxSize>4096</clientCertificateMaxSize>
    <clientCAListFile>/usr/lib/vmware-sso/vmware-sts/conf/clienttrustCA.pem</clientCAListFile>
    </http>
    The config.xml file includes some of these elements. Uncomment, update, or add the elements as needed.
  5. Restart the STS service.
    service-control --restart sts