Tuesday, May 5, 2020

Handy Command and Articles to troubleshoot PSC and Certificate related query in vCenter


List of commands:

To find the PNID:

  • /usr/lib/vmware-vmafd/bin/vmafd-cli get-pnid --server-name localhost
  • "C:\Program Files\VMware\vCenter Server\vmafdd\vmafd-cli.exe" get-pnid --server-name localhost
Which PSC is my VC pointing to:

  • /usr/lib/vmware-vmafd/bin/vmafd-cli get-ls-location --server-name localhost
  • C:\Program Files\VMware\vCenter Server\vmafdd\vmafd-cli get-ls-location --server-name localhost
Get the site name where my PSC/VC is:

  • /usr/lib/vmware-vmafd/bin/vmafd-cli get-site-name --server-name localhost
  • C:\Program Files\VMware\vCenter Server\vmafdd\vmafd-cli get-site-name  --server-name localhost
SSO Domain name:

  • /etc/vmware/install-defaults/vmdir.domain-name
  • C:\ProgramData\VMware\vCenterServer\cfg\install-defaults\vmdir.domain-name

Certificate Manager Location:

  • Windows vCenter Server:  C:\Program Files\VMware\vCenter Server\vmcad\certificate-manager
  • vCenter Server Appliance:  /usr/lib/vmware-vmca/bin/certificate-manager

Location for the cert store:

  • /usr/lib/vmware-vmafd/bin à includes vecs-cli , dir-cli, vmafd-cli

Hard copy of the certificate available in:

  • /var/lib/vmware/vmca/root.cer
  • ProgramData\VMware\CIS\data\vmca\root.cer

To get the copy of the MACHINE_SSL_CERT and the KEY used :

  • /usr/lib/vmware-vmafd/bin/vecs-cli entry getcert --store MACHINE_SSL_CERT --alias __MACHINE_CERT --output /var/tmp/Machine_SSL.crt
  • /usr/lib/vmware-vmafd/bin/vecs-cli entry getkey --store MACHINE_SSL_CERT --alias __MACHINE_CERT --output /var/tmp/Machine_SSL.key
  •  
Location for certificates that we most commonly use :

  1. STS certificate : etc/vmware-sso/keys/ssoserver.crt
  2. VMDIRD certificate : /usr/lib/vmware-vmdir/share/config/vmdircert.pem

Location for the certs in jexlorer:

     >>Trusted roots ====>ConfigurationàCertificate authority
     >>Lookup service ==>ConfigurationàSitesà”Site-name”àLookupserviceàService Registrations
    >>Solution users =====>Service Principals
    >>STS certs -->Services-->Identity manager-->Tenants-->vsphere.local-->TenanatCredential-1

To view the certificates using openssl command:

  • openssl x509 -in certificate.crt -noout -text | less
  • openssl s_client -connect “Server FQDN”:443
Eg: To get the machine SSL for vcsa1.gsslabs.org:
      openssl s_client -connect ORLpD1PSC-VIP.catmktg.com:443


Get the lstool output:



Different scenarios lstool is used:
  • To output vCenter's service ID only in a particular site:

à/usr/lib/vmidentity/tools/scripts/lstool.py list --url https://PSC.FQDN/lookupservice/sdk --site <site-name> --type vcenterserver --id-only


  • To export the inforation as spec file(text file):

         à/usr/lib/vmidentity/tools/scripts/lstool.py get --url https://PSC.FQDN/lookupservice/sdk --id      "vCenter's service-id" --as-spec > /tmp/vcenterserver.txt
  • How to edit the spec file and re-register back:

à/usr/lib/vmidentity/tools/scripts/lstool.py reregiter --url https://PSC.FQDN/lookupservice/sdk --id "vCenter's service-id --spec /tmp/vcenterserver.txt --user administrator@vsphere.local --password "VMware!"

  • Get the service ID associated with the NODE ID:
              /usr/lib/vmidentity/tools/scripts/lstool.py list --url http://localhost:7080/lookupservice/sdk --node "NODE ID of the PSC/VC" --id-only >/tmp/node.txt

     To get the node ID: /etc/vmware/install-defaults  -à vmdir.ldu-guid


  • Determining replication agreements and status with the Platform Services Controller 6.x 
                   https://kb.vmware.com/s/article/2127057

  • Manually reviewing certificates in VMware Endpoint Certificate Store


  • Updating SSL Trust Anchors (When there is a thumbprint mismatch )
                   https://kb.vmware.com/s/article/50112066

  • Removing expired certs from trusted roots:

  • Feature walkthrough for cert replacement:


  • Obtaining vSphere certificates from a Microsoft Certificate Authority and creating templates for SSL cert creation
                    https://kb.vmware.com/s/article/2112014
                    https://kb.vmware.com/s/article/2112009

  • The steps for the certificate generation/replacement in the Load balancer environment:


  • Generating the STS certificates:


  • Replacing the vmdird certificates :

  • Removing the Service ID :
                https://kb.vmware.com/s/article/2050273 

  • Using the cmsso command to unregister vCenter Server from Single Sign-On :


  • Repoint vCenter Server 6.x between External PSC within a site
                 https://kb.vmware.com/s/article/2113917

Unable to add vCenter to Usage Meter 3.6 after replacing the vCenter certificate

 Issue: Unable to add the vCenter endpoint to the usage meter due to certificate error Error: There was a problem checking the certificate v...