By default, vSphere Authentication Proxy adds any host if it has the IP address of that host in its access control list. For additional security, you can activate client authentication. If client authentication is activated, vSphere Authentication Proxy also checks the certificate of the host.

Prerequisites

  • Verify that the vCenter Server system trusts the host. By default, when you add a host to vCenter Server, the host is assigned a certificate that is signed by a vCenter Server trusted root CA. vSphere Authentication Proxy trusts vCenter Server trusted root CA.

  • If you plan on replacing ESXi certificates in your environment, perform the replacement before you activate vSphere Authentication Proxy. The certificates on the ESXi host must match that of the host's registration.

Procedure

  1. Log in to the vCenter Server system as a user with administrator privileges.
  2. To activate access to the Bash shell, run the shell command.
  3. Go to the /usr/lib/vmware-vmcam/bin/ directory where the camconfig script is located.
  4. To activate client authentication, run the following command. 
    camconfig ssl-cliAuth -e
    Going forward, vSphere Authentication Proxy checks the certificate of each host that is added.
  5. If you later want to deactivate client authentication again, run the following command. 
    camconfig ssl-cliAuth -n