List of commands:
To find
the PNID:
- /usr/lib/vmware-vmafd/bin/vmafd-cli
get-pnid --server-name localhost
- "C:\Program
Files\VMware\vCenter Server\vmafdd\vmafd-cli.exe" get-pnid
--server-name localhost
Which
PSC is my VC pointing to:
- /usr/lib/vmware-vmafd/bin/vmafd-cli
get-ls-location --server-name localhost
- C:\Program
Files\VMware\vCenter Server\vmafdd\vmafd-cli get-ls-location --server-name
localhost
Get the
site name where my PSC/VC is:
- /usr/lib/vmware-vmafd/bin/vmafd-cli
get-site-name --server-name localhost
- C:\Program
Files\VMware\vCenter Server\vmafdd\vmafd-cli get-site-name
--server-name localhost
SSO
Domain name:
- /etc/vmware/install-defaults/vmdir.domain-name
- C:\ProgramData\VMware\vCenterServer\cfg\install-defaults\vmdir.domain-name
Certificate
Manager Location:
- Windows
vCenter Server: C:\Program Files\VMware\vCenter
Server\vmcad\certificate-manager
- vCenter
Server Appliance: /usr/lib/vmware-vmca/bin/certificate-manager
Location
for the cert store:
- /usr/lib/vmware-vmafd/bin
à includes vecs-cli ,
dir-cli, vmafd-cli
Hard
copy of the certificate available in:
- /var/lib/vmware/vmca/root.cer
- ProgramData\VMware\CIS\data\vmca\root.cer
To get
the copy of the MACHINE_SSL_CERT and the KEY used :
- /usr/lib/vmware-vmafd/bin/vecs-cli
entry getcert
--store MACHINE_SSL_CERT --alias __MACHINE_CERT --output
/var/tmp/Machine_SSL.crt
- /usr/lib/vmware-vmafd/bin/vecs-cli
entry getkey
--store MACHINE_SSL_CERT --alias __MACHINE_CERT --output
/var/tmp/Machine_SSL.key
Location
for certificates that we most commonly use :
- STS
certificate : etc/vmware-sso/keys/ssoserver.crt
- VMDIRD
certificate : /usr/lib/vmware-vmdir/share/config/vmdircert.pem
Location
for the certs in jexlorer:
>>Trusted roots
====>ConfigurationàCertificate
authority
>>Lookup service
==>ConfigurationàSitesà”Site-name”àLookupserviceàService Registrations
>>Solution users =====>Service
Principals
>>STS certs
-->Services-->Identity
manager-->Tenants-->vsphere.local-->TenanatCredential-1
To view
the certificates using openssl command:
- openssl
x509 -in certificate.crt -noout -text | less
- openssl
s_client -connect “Server FQDN”:443
Eg: To get the machine SSL for
vcsa1.gsslabs.org:
openssl s_client -connect ORLpD1PSC-VIP.catmktg.com:443
Get the
lstool output:
- /usr/lib/vmidentity/tools/scripts/lstool.py
list --url http://localhost:7080/lookupservice/sdk
> /tmp/psc_services.txt
- "%VMWARE_PYTHON_BIN%"
"%VMWARE_CIS_HOME%\VMware Identity
Services\lstool\scripts\lstool.py" list --url http://localhost:7080/lookupservice/sdk
> c:\psc_services.txt
Different scenarios lstool is used:
- To output vCenter's service ID
only in a particular site:
à/usr/lib/vmidentity/tools/scripts/lstool.py
list --url https://PSC.FQDN/lookupservice/sdk
--site <site-name> --type vcenterserver --id-only
- To export the inforation as spec
file(text file):
à/usr/lib/vmidentity/tools/scripts/lstool.py
get --url https://PSC.FQDN/lookupservice/sdk
--id "vCenter's service-id" --as-spec
> /tmp/vcenterserver.txt
- How to edit the spec file and
re-register back:
à/usr/lib/vmidentity/tools/scripts/lstool.py
reregiter --url https://PSC.FQDN/lookupservice/sdk
--id "vCenter's service-id --spec /tmp/vcenterserver.txt --user administrator@vsphere.local
--password "VMware!"
- Get the service ID associated with
the NODE ID:
/usr/lib/vmidentity/tools/scripts/lstool.py list --url http://localhost:7080/lookupservice/sdk
--node "NODE ID of the PSC/VC" --id-only >/tmp/node.txt
To get the node ID:
/etc/vmware/install-defaults -à
vmdir.ldu-guid
- Determining replication agreements
and status with the Platform Services Controller 6.x
- Manually reviewing certificates in
VMware Endpoint Certificate Store
- Updating SSL Trust Anchors (When
there is a thumbprint mismatch )
- Removing expired certs from
trusted roots:
- Feature walkthrough for cert
replacement:
- Obtaining vSphere certificates
from a Microsoft Certificate Authority and creating templates for SSL cert
creation
- The steps for the certificate
generation/replacement in the Load balancer environment:
- Generating the STS certificates:
- Replacing the vmdird certificates
:
- Removing the Service ID :
- Using the cmsso command to
unregister vCenter Server from Single Sign-On :
- Repoint vCenter Server 6.x between
External PSC within a site